From 3125144445f3dbb5705744a67f1a81d3e5f88d87 Mon Sep 17 00:00:00 2001 From: Al-Kindi-0 <82364884+Al-Kindi-0@users.noreply.github.com> Date: Tue, 24 Oct 2023 11:34:02 +0200 Subject: [PATCH] feat: RPX (xHash12) hash function implementation --- benches/hash.rs | 59 +- src/hash/mod.rs | 12 +- .../{rpo/mds_freq.rs => rescue/mds/freq.rs} | 9 +- src/hash/rescue/mds/mod.rs | 214 +++++ src/hash/rescue/mod.rs | 398 ++++++++ src/hash/{ => rescue}/rpo/digest.rs | 55 +- src/hash/rescue/rpo/mod.rs | 324 +++++++ src/hash/{ => rescue}/rpo/tests.rs | 15 +- src/hash/rescue/rpx/digest.rs | 299 ++++++ src/hash/rescue/rpx/mod.rs | 379 ++++++++ src/hash/rescue/tests.rs | 9 + src/hash/rpo/mod.rs | 905 ------------------ src/lib.rs | 5 +- src/main.rs | 5 +- src/merkle/mmr/full.rs | 5 +- src/merkle/mmr/mod.rs | 2 +- src/merkle/mmr/partial.rs | 4 +- src/merkle/mmr/tests.rs | 5 +- src/merkle/node.rs | 2 +- src/merkle/store/tests.rs | 3 +- 20 files changed, 1716 insertions(+), 993 deletions(-) rename src/hash/{rpo/mds_freq.rs => rescue/mds/freq.rs} (96%) create mode 100644 src/hash/rescue/mds/mod.rs create mode 100644 src/hash/rescue/mod.rs rename src/hash/{ => rescue}/rpo/digest.rs (87%) create mode 100644 src/hash/rescue/rpo/mod.rs rename src/hash/{ => rescue}/rpo/tests.rs (96%) create mode 100644 src/hash/rescue/rpx/digest.rs create mode 100644 src/hash/rescue/rpx/mod.rs create mode 100644 src/hash/rescue/tests.rs delete mode 100644 src/hash/rpo/mod.rs diff --git a/benches/hash.rs b/benches/hash.rs index 271c1f5..ea5e1e0 100644 --- a/benches/hash.rs +++ b/benches/hash.rs @@ -3,6 +3,7 @@ use miden_crypto::{ hash::{ blake::Blake3_256, rpo::{Rpo256, RpoDigest}, + rpx::{Rpx256, RpxDigest}, }, Felt, }; @@ -57,6 +58,54 @@ fn rpo256_sequential(c: &mut Criterion) { }); } +fn rpx256_2to1(c: &mut Criterion) { + let v: [RpxDigest; 2] = [Rpx256::hash(&[1_u8]), Rpx256::hash(&[2_u8])]; + c.bench_function("RPX256 2-to-1 hashing (cached)", |bench| { + bench.iter(|| Rpx256::merge(black_box(&v))) + }); + + c.bench_function("RPX256 2-to-1 hashing (random)", |bench| { + bench.iter_batched( + || { + [ + Rpx256::hash(&rand_value::().to_le_bytes()), + Rpx256::hash(&rand_value::().to_le_bytes()), + ] + }, + |state| Rpx256::merge(&state), + BatchSize::SmallInput, + ) + }); +} + +fn rpx256_sequential(c: &mut Criterion) { + let v: [Felt; 100] = (0..100) + .into_iter() + .map(Felt::new) + .collect::>() + .try_into() + .expect("should not fail"); + c.bench_function("RPX256 sequential hashing (cached)", |bench| { + bench.iter(|| Rpx256::hash_elements(black_box(&v))) + }); + + c.bench_function("RPX256 sequential hashing (random)", |bench| { + bench.iter_batched( + || { + let v: [Felt; 100] = (0..100) + .into_iter() + .map(|_| Felt::new(rand_value())) + .collect::>() + .try_into() + .expect("should not fail"); + v + }, + |state| Rpx256::hash_elements(&state), + BatchSize::SmallInput, + ) + }); +} + fn blake3_2to1(c: &mut Criterion) { let v: [::Digest; 2] = [Blake3_256::hash(&[1_u8]), Blake3_256::hash(&[2_u8])]; @@ -106,5 +155,13 @@ fn blake3_sequential(c: &mut Criterion) { }); } -criterion_group!(hash_group, rpo256_2to1, rpo256_sequential, blake3_2to1, blake3_sequential); +criterion_group!( + hash_group, + rpx256_2to1, + rpx256_sequential, + rpo256_2to1, + rpo256_sequential, + blake3_2to1, + blake3_sequential +); criterion_main!(hash_group); diff --git a/src/hash/mod.rs b/src/hash/mod.rs index 8c87562..ea06833 100644 --- a/src/hash/mod.rs +++ b/src/hash/mod.rs @@ -1,9 +1,17 @@ //! Cryptographic hash functions used by the Miden VM and the Miden rollup. -use super::{Felt, FieldElement, StarkField, ONE, ZERO}; +use super::{CubeExtension, Felt, FieldElement, StarkField, ONE, ZERO}; pub mod blake; -pub mod rpo; + +mod rescue; +pub mod rpo { + pub use super::rescue::{Rpo256, RpoDigest}; +} + +pub mod rpx { + pub use super::rescue::{Rpx256, RpxDigest}; +} // RE-EXPORTS // ================================================================================================ diff --git a/src/hash/rpo/mds_freq.rs b/src/hash/rescue/mds/freq.rs similarity index 96% rename from src/hash/rpo/mds_freq.rs rename to src/hash/rescue/mds/freq.rs index 6d1f1fd..17ef67f 100644 --- a/src/hash/rpo/mds_freq.rs +++ b/src/hash/rescue/mds/freq.rs @@ -11,7 +11,8 @@ /// divisions by 2 and repeated modular reductions. This is because of our explicit choice of /// an MDS matrix that has small powers of 2 entries in frequency domain. /// The following implementation has benefited greatly from the discussions and insights of -/// Hamish Ivey-Law and Jacqueline Nabaglo of Polygon Zero. +/// Hamish Ivey-Law and Jacqueline Nabaglo of Polygon Zero and is base on Nabaglo's Plonky2 +/// implementation. // Rescue MDS matrix in frequency domain. // More precisely, this is the output of the three 4-point (real) FFTs of the first column of @@ -26,7 +27,7 @@ const MDS_FREQ_BLOCK_THREE: [i64; 3] = [-8, 1, 1]; // We use split 3 x 4 FFT transform in order to transform our vectors into the frequency domain. #[inline(always)] -pub(crate) const fn mds_multiply_freq(state: [u64; 12]) -> [u64; 12] { +pub const fn mds_multiply_freq(state: [u64; 12]) -> [u64; 12] { let [s0, s1, s2, s3, s4, s5, s6, s7, s8, s9, s10, s11] = state; let (u0, u1, u2) = fft4_real([s0, s3, s6, s9]); @@ -156,7 +157,7 @@ const fn block3(x: [i64; 3], y: [i64; 3]) -> [i64; 3] { #[cfg(test)] mod tests { - use super::super::{Felt, Rpo256, MDS, ZERO}; + use super::super::{apply_mds, Felt, MDS, ZERO}; use proptest::prelude::*; const STATE_WIDTH: usize = 12; @@ -185,7 +186,7 @@ mod tests { v2 = v1; apply_mds_naive(&mut v1); - Rpo256::apply_mds(&mut v2); + apply_mds(&mut v2); prop_assert_eq!(v1, v2); } diff --git a/src/hash/rescue/mds/mod.rs b/src/hash/rescue/mds/mod.rs new file mode 100644 index 0000000..11b1972 --- /dev/null +++ b/src/hash/rescue/mds/mod.rs @@ -0,0 +1,214 @@ +use super::{Felt, STATE_WIDTH, ZERO}; + +mod freq; +pub use freq::mds_multiply_freq; + +// MDS MULTIPLICATION +// ================================================================================================ + +#[inline(always)] +pub fn apply_mds(state: &mut [Felt; STATE_WIDTH]) { + let mut result = [ZERO; STATE_WIDTH]; + + // Using the linearity of the operations we can split the state into a low||high decomposition + // and operate on each with no overflow and then combine/reduce the result to a field element. + // The no overflow is guaranteed by the fact that the MDS matrix is a small powers of two in + // frequency domain. + let mut state_l = [0u64; STATE_WIDTH]; + let mut state_h = [0u64; STATE_WIDTH]; + + for r in 0..STATE_WIDTH { + let s = state[r].inner(); + state_h[r] = s >> 32; + state_l[r] = (s as u32) as u64; + } + + let state_h = mds_multiply_freq(state_h); + let state_l = mds_multiply_freq(state_l); + + for r in 0..STATE_WIDTH { + let s = state_l[r] as u128 + ((state_h[r] as u128) << 32); + let s_hi = (s >> 64) as u64; + let s_lo = s as u64; + let z = (s_hi << 32) - s_hi; + let (res, over) = s_lo.overflowing_add(z); + + result[r] = Felt::from_mont(res.wrapping_add(0u32.wrapping_sub(over as u32) as u64)); + } + *state = result; +} + +// MDS MATRIX +// ================================================================================================ + +/// RPO MDS matrix +pub const MDS: [[Felt; STATE_WIDTH]; STATE_WIDTH] = [ + [ + Felt::new(7), + Felt::new(23), + Felt::new(8), + Felt::new(26), + Felt::new(13), + Felt::new(10), + Felt::new(9), + Felt::new(7), + Felt::new(6), + Felt::new(22), + Felt::new(21), + Felt::new(8), + ], + [ + Felt::new(8), + Felt::new(7), + Felt::new(23), + Felt::new(8), + Felt::new(26), + Felt::new(13), + Felt::new(10), + Felt::new(9), + Felt::new(7), + Felt::new(6), + Felt::new(22), + Felt::new(21), + ], + [ + Felt::new(21), + Felt::new(8), + Felt::new(7), + Felt::new(23), + Felt::new(8), + Felt::new(26), + Felt::new(13), + Felt::new(10), + Felt::new(9), + Felt::new(7), + Felt::new(6), + Felt::new(22), + ], + [ + Felt::new(22), + Felt::new(21), + Felt::new(8), + Felt::new(7), + Felt::new(23), + Felt::new(8), + Felt::new(26), + Felt::new(13), + Felt::new(10), + Felt::new(9), + Felt::new(7), + Felt::new(6), + ], + [ + Felt::new(6), + Felt::new(22), + Felt::new(21), + Felt::new(8), + Felt::new(7), + Felt::new(23), + Felt::new(8), + Felt::new(26), + Felt::new(13), + Felt::new(10), + Felt::new(9), + Felt::new(7), + ], + [ + Felt::new(7), + Felt::new(6), + Felt::new(22), + Felt::new(21), + Felt::new(8), + Felt::new(7), + Felt::new(23), + Felt::new(8), + Felt::new(26), + Felt::new(13), + Felt::new(10), + Felt::new(9), + ], + [ + Felt::new(9), + Felt::new(7), + Felt::new(6), + Felt::new(22), + Felt::new(21), + Felt::new(8), + Felt::new(7), + Felt::new(23), + Felt::new(8), + Felt::new(26), + Felt::new(13), + Felt::new(10), + ], + [ + Felt::new(10), + Felt::new(9), + Felt::new(7), + Felt::new(6), + Felt::new(22), + Felt::new(21), + Felt::new(8), + Felt::new(7), + Felt::new(23), + Felt::new(8), + Felt::new(26), + Felt::new(13), + ], + [ + Felt::new(13), + Felt::new(10), + Felt::new(9), + Felt::new(7), + Felt::new(6), + Felt::new(22), + Felt::new(21), + Felt::new(8), + Felt::new(7), + Felt::new(23), + Felt::new(8), + Felt::new(26), + ], + [ + Felt::new(26), + Felt::new(13), + Felt::new(10), + Felt::new(9), + Felt::new(7), + Felt::new(6), + Felt::new(22), + Felt::new(21), + Felt::new(8), + Felt::new(7), + Felt::new(23), + Felt::new(8), + ], + [ + Felt::new(8), + Felt::new(26), + Felt::new(13), + Felt::new(10), + Felt::new(9), + Felt::new(7), + Felt::new(6), + Felt::new(22), + Felt::new(21), + Felt::new(8), + Felt::new(7), + Felt::new(23), + ], + [ + Felt::new(23), + Felt::new(8), + Felt::new(26), + Felt::new(13), + Felt::new(10), + Felt::new(9), + Felt::new(7), + Felt::new(6), + Felt::new(22), + Felt::new(21), + Felt::new(8), + Felt::new(7), + ], +]; diff --git a/src/hash/rescue/mod.rs b/src/hash/rescue/mod.rs new file mode 100644 index 0000000..3d76203 --- /dev/null +++ b/src/hash/rescue/mod.rs @@ -0,0 +1,398 @@ +use super::{ + CubeExtension, Digest, ElementHasher, Felt, FieldElement, Hasher, StarkField, ONE, ZERO, +}; +use core::ops::Range; + +mod mds; +use mds::{apply_mds, MDS}; + +mod rpo; +pub use rpo::{Rpo256, RpoDigest}; + +mod rpx; +pub use rpx::{Rpx256, RpxDigest}; + +#[cfg(test)] +mod tests; + +// CONSTANTS +// ================================================================================================ + +/// The number of rounds is set to 7. For the RPO hash functions all rounds are uniform. For the +/// RPX hash function, there are 3 different types of rounds. +const NUM_ROUNDS: usize = 7; + +/// Sponge state is set to 12 field elements or 96 bytes; 8 elements are reserved for rate and +/// the remaining 4 elements are reserved for capacity. +const STATE_WIDTH: usize = 12; + +/// The rate portion of the state is located in elements 4 through 11. +const RATE_RANGE: Range = 4..12; +const RATE_WIDTH: usize = RATE_RANGE.end - RATE_RANGE.start; + +const INPUT1_RANGE: Range = 4..8; +const INPUT2_RANGE: Range = 8..12; + +/// The capacity portion of the state is located in elements 0, 1, 2, and 3. +const CAPACITY_RANGE: Range = 0..4; + +/// The output of the hash function is a digest which consists of 4 field elements or 32 bytes. +/// +/// The digest is returned from state elements 4, 5, 6, and 7 (the first four elements of the +/// rate portion). +const DIGEST_RANGE: Range = 4..8; +const DIGEST_SIZE: usize = DIGEST_RANGE.end - DIGEST_RANGE.start; + +/// The number of byte chunks defining a field element when hashing a sequence of bytes +const BINARY_CHUNK_SIZE: usize = 7; + +/// S-Box and Inverse S-Box powers; +/// +/// The constants are defined for tests only because the exponentiations in the code are unrolled +/// for efficiency reasons. +#[cfg(test)] +const ALPHA: u64 = 7; +#[cfg(test)] +const INV_ALPHA: u64 = 10540996611094048183; + +// SBOX FUNCTION +// ================================================================================================ + +#[inline(always)] +fn apply_sbox(state: &mut [Felt; STATE_WIDTH]) { + state[0] = state[0].exp7(); + state[1] = state[1].exp7(); + state[2] = state[2].exp7(); + state[3] = state[3].exp7(); + state[4] = state[4].exp7(); + state[5] = state[5].exp7(); + state[6] = state[6].exp7(); + state[7] = state[7].exp7(); + state[8] = state[8].exp7(); + state[9] = state[9].exp7(); + state[10] = state[10].exp7(); + state[11] = state[11].exp7(); +} + +// INVERSE SBOX FUNCTION +// ================================================================================================ + +#[inline(always)] +fn apply_inv_sbox(state: &mut [Felt; STATE_WIDTH]) { + // compute base^10540996611094048183 using 72 multiplications per array element + // 10540996611094048183 = b1001001001001001001001001001000110110110110110110110110110110111 + + // compute base^10 + let mut t1 = *state; + t1.iter_mut().for_each(|t| *t = t.square()); + + // compute base^100 + let mut t2 = t1; + t2.iter_mut().for_each(|t| *t = t.square()); + + // compute base^100100 + let t3 = exp_acc::(t2, t2); + + // compute base^100100100100 + let t4 = exp_acc::(t3, t3); + + // compute base^100100100100100100100100 + let t5 = exp_acc::(t4, t4); + + // compute base^100100100100100100100100100100 + let t6 = exp_acc::(t5, t3); + + // compute base^1001001001001001001001001001000100100100100100100100100100100 + let t7 = exp_acc::(t6, t6); + + // compute base^1001001001001001001001001001000110110110110110110110110110110111 + for (i, s) in state.iter_mut().enumerate() { + let a = (t7[i].square() * t6[i]).square().square(); + let b = t1[i] * t2[i] * *s; + *s = a * b; + } + + #[inline(always)] + fn exp_acc( + base: [B; N], + tail: [B; N], + ) -> [B; N] { + let mut result = base; + for _ in 0..M { + result.iter_mut().for_each(|r| *r = r.square()); + } + result.iter_mut().zip(tail).for_each(|(r, t)| *r *= t); + result + } +} + +// OPTIMIZATIONS +// ================================================================================================ + +#[cfg(all(target_feature = "sve", feature = "sve"))] +#[link(name = "rpo_sve", kind = "static")] +extern "C" { + fn add_constants_and_apply_sbox( + state: *mut std::ffi::c_ulong, + constants: *const std::ffi::c_ulong, + ) -> bool; + fn add_constants_and_apply_inv_sbox( + state: *mut std::ffi::c_ulong, + constants: *const std::ffi::c_ulong, + ) -> bool; +} + +#[inline(always)] +#[cfg(all(target_feature = "sve", feature = "sve"))] +fn optimized_add_constants_and_apply_sbox( + state: &mut [Felt; STATE_WIDTH], + ark: &[Felt; STATE_WIDTH], +) -> bool { + unsafe { + add_constants_and_apply_sbox(state.as_mut_ptr() as *mut u64, ark.as_ptr() as *const u64) + } +} + +#[inline(always)] +#[cfg(not(all(target_feature = "sve", feature = "sve")))] +fn optimized_add_constants_and_apply_sbox( + _state: &mut [Felt; STATE_WIDTH], + _ark: &[Felt; STATE_WIDTH], +) -> bool { + false +} + +#[inline(always)] +#[cfg(all(target_feature = "sve", feature = "sve"))] +fn optimized_add_constants_and_apply_inv_sbox( + state: &mut [Felt; STATE_WIDTH], + ark: &[Felt; STATE_WIDTH], +) -> bool { + unsafe { + add_constants_and_apply_inv_sbox(state.as_mut_ptr() as *mut u64, ark.as_ptr() as *const u64) + } +} + +#[inline(always)] +#[cfg(not(all(target_feature = "sve", feature = "sve")))] +fn optimized_add_constants_and_apply_inv_sbox( + _state: &mut [Felt; STATE_WIDTH], + _ark: &[Felt; STATE_WIDTH], +) -> bool { + false +} + +#[inline(always)] +fn add_constants(state: &mut [Felt; STATE_WIDTH], ark: &[Felt; STATE_WIDTH]) { + state.iter_mut().zip(ark).for_each(|(s, &k)| *s += k); +} + +// ROUND CONSTANTS +// ================================================================================================ + +/// Rescue round constants; +/// computed as in [specifications](https://github.com/ASDiscreteMathematics/rpo) +/// +/// The constants are broken up into two arrays ARK1 and ARK2; ARK1 contains the constants for the +/// first half of RPO round, and ARK2 contains constants for the second half of RPO round. +const ARK1: [[Felt; STATE_WIDTH]; NUM_ROUNDS] = [ + [ + Felt::new(5789762306288267392), + Felt::new(6522564764413701783), + Felt::new(17809893479458208203), + Felt::new(107145243989736508), + Felt::new(6388978042437517382), + Felt::new(15844067734406016715), + Felt::new(9975000513555218239), + Felt::new(3344984123768313364), + Felt::new(9959189626657347191), + Felt::new(12960773468763563665), + Felt::new(9602914297752488475), + Felt::new(16657542370200465908), + ], + [ + Felt::new(12987190162843096997), + Felt::new(653957632802705281), + Felt::new(4441654670647621225), + Felt::new(4038207883745915761), + Felt::new(5613464648874830118), + Felt::new(13222989726778338773), + Felt::new(3037761201230264149), + Felt::new(16683759727265180203), + Felt::new(8337364536491240715), + Felt::new(3227397518293416448), + Felt::new(8110510111539674682), + Felt::new(2872078294163232137), + ], + [ + Felt::new(18072785500942327487), + Felt::new(6200974112677013481), + Felt::new(17682092219085884187), + Felt::new(10599526828986756440), + Felt::new(975003873302957338), + Felt::new(8264241093196931281), + Felt::new(10065763900435475170), + Felt::new(2181131744534710197), + Felt::new(6317303992309418647), + Felt::new(1401440938888741532), + Felt::new(8884468225181997494), + Felt::new(13066900325715521532), + ], + [ + Felt::new(5674685213610121970), + Felt::new(5759084860419474071), + Felt::new(13943282657648897737), + Felt::new(1352748651966375394), + Felt::new(17110913224029905221), + Felt::new(1003883795902368422), + Felt::new(4141870621881018291), + Felt::new(8121410972417424656), + Felt::new(14300518605864919529), + Felt::new(13712227150607670181), + Felt::new(17021852944633065291), + Felt::new(6252096473787587650), + ], + [ + Felt::new(4887609836208846458), + Felt::new(3027115137917284492), + Felt::new(9595098600469470675), + Felt::new(10528569829048484079), + Felt::new(7864689113198939815), + Felt::new(17533723827845969040), + Felt::new(5781638039037710951), + Felt::new(17024078752430719006), + Felt::new(109659393484013511), + Felt::new(7158933660534805869), + Felt::new(2955076958026921730), + Felt::new(7433723648458773977), + ], + [ + Felt::new(16308865189192447297), + Felt::new(11977192855656444890), + Felt::new(12532242556065780287), + Felt::new(14594890931430968898), + Felt::new(7291784239689209784), + Felt::new(5514718540551361949), + Felt::new(10025733853830934803), + Felt::new(7293794580341021693), + Felt::new(6728552937464861756), + Felt::new(6332385040983343262), + Felt::new(13277683694236792804), + Felt::new(2600778905124452676), + ], + [ + Felt::new(7123075680859040534), + Felt::new(1034205548717903090), + Felt::new(7717824418247931797), + Felt::new(3019070937878604058), + Felt::new(11403792746066867460), + Felt::new(10280580802233112374), + Felt::new(337153209462421218), + Felt::new(13333398568519923717), + Felt::new(3596153696935337464), + Felt::new(8104208463525993784), + Felt::new(14345062289456085693), + Felt::new(17036731477169661256), + ], +]; + +const ARK2: [[Felt; STATE_WIDTH]; NUM_ROUNDS] = [ + [ + Felt::new(6077062762357204287), + Felt::new(15277620170502011191), + Felt::new(5358738125714196705), + Felt::new(14233283787297595718), + Felt::new(13792579614346651365), + Felt::new(11614812331536767105), + Felt::new(14871063686742261166), + Felt::new(10148237148793043499), + Felt::new(4457428952329675767), + Felt::new(15590786458219172475), + Felt::new(10063319113072092615), + Felt::new(14200078843431360086), + ], + [ + Felt::new(6202948458916099932), + Felt::new(17690140365333231091), + Felt::new(3595001575307484651), + Felt::new(373995945117666487), + Felt::new(1235734395091296013), + Felt::new(14172757457833931602), + Felt::new(707573103686350224), + Felt::new(15453217512188187135), + Felt::new(219777875004506018), + Felt::new(17876696346199469008), + Felt::new(17731621626449383378), + Felt::new(2897136237748376248), + ], + [ + Felt::new(8023374565629191455), + Felt::new(15013690343205953430), + Felt::new(4485500052507912973), + Felt::new(12489737547229155153), + Felt::new(9500452585969030576), + Felt::new(2054001340201038870), + Felt::new(12420704059284934186), + Felt::new(355990932618543755), + Felt::new(9071225051243523860), + Felt::new(12766199826003448536), + Felt::new(9045979173463556963), + Felt::new(12934431667190679898), + ], + [ + Felt::new(18389244934624494276), + Felt::new(16731736864863925227), + Felt::new(4440209734760478192), + Felt::new(17208448209698888938), + Felt::new(8739495587021565984), + Felt::new(17000774922218161967), + Felt::new(13533282547195532087), + Felt::new(525402848358706231), + Felt::new(16987541523062161972), + Felt::new(5466806524462797102), + Felt::new(14512769585918244983), + Felt::new(10973956031244051118), + ], + [ + Felt::new(6982293561042362913), + Felt::new(14065426295947720331), + Felt::new(16451845770444974180), + Felt::new(7139138592091306727), + Felt::new(9012006439959783127), + Felt::new(14619614108529063361), + Felt::new(1394813199588124371), + Felt::new(4635111139507788575), + Felt::new(16217473952264203365), + Felt::new(10782018226466330683), + Felt::new(6844229992533662050), + Felt::new(7446486531695178711), + ], + [ + Felt::new(3736792340494631448), + Felt::new(577852220195055341), + Felt::new(6689998335515779805), + Felt::new(13886063479078013492), + Felt::new(14358505101923202168), + Felt::new(7744142531772274164), + Felt::new(16135070735728404443), + Felt::new(12290902521256031137), + Felt::new(12059913662657709804), + Felt::new(16456018495793751911), + Felt::new(4571485474751953524), + Felt::new(17200392109565783176), + ], + [ + Felt::new(17130398059294018733), + Felt::new(519782857322261988), + Felt::new(9625384390925085478), + Felt::new(1664893052631119222), + Felt::new(7629576092524553570), + Felt::new(3485239601103661425), + Felt::new(9755891797164033838), + Felt::new(15218148195153269027), + Felt::new(16460604813734957368), + Felt::new(9643968136937729763), + Felt::new(3611348709641382851), + Felt::new(18256379591337759196), + ], +]; diff --git a/src/hash/rpo/digest.rs b/src/hash/rescue/rpo/digest.rs similarity index 87% rename from src/hash/rpo/digest.rs rename to src/hash/rescue/rpo/digest.rs index b5de346..8252bef 100644 --- a/src/hash/rpo/digest.rs +++ b/src/hash/rescue/rpo/digest.rs @@ -175,18 +175,6 @@ impl From<&RpoDigest> for String { // CONVERSIONS: TO DIGEST // ================================================================================================ -#[derive(Copy, Clone, Debug)] -pub enum RpoDigestError { - /// The provided u64 integer does not fit in the field's moduli. - InvalidInteger, -} - -impl From<&[Felt; DIGEST_SIZE]> for RpoDigest { - fn from(value: &[Felt; DIGEST_SIZE]) -> Self { - Self(*value) - } -} - impl From<[Felt; DIGEST_SIZE]> for RpoDigest { fn from(value: [Felt; DIGEST_SIZE]) -> Self { Self(value) @@ -212,46 +200,6 @@ impl TryFrom<[u8; DIGEST_BYTES]> for RpoDigest { } } -impl TryFrom<&[u8; DIGEST_BYTES]> for RpoDigest { - type Error = HexParseError; - - fn try_from(value: &[u8; DIGEST_BYTES]) -> Result { - (*value).try_into() - } -} - -impl TryFrom<&[u8]> for RpoDigest { - type Error = HexParseError; - - fn try_from(value: &[u8]) -> Result { - (*value).try_into() - } -} - -impl TryFrom<[u64; DIGEST_SIZE]> for RpoDigest { - type Error = RpoDigestError; - - fn try_from(value: [u64; DIGEST_SIZE]) -> Result { - if value[0] >= Felt::MODULUS - || value[1] >= Felt::MODULUS - || value[2] >= Felt::MODULUS - || value[3] >= Felt::MODULUS - { - return Err(RpoDigestError::InvalidInteger); - } - - Ok(Self([value[0].into(), value[1].into(), value[2].into(), value[3].into()])) - } -} - -impl TryFrom<&[u64; DIGEST_SIZE]> for RpoDigest { - type Error = RpoDigestError; - - fn try_from(value: &[u64; DIGEST_SIZE]) -> Result { - (*value).try_into() - } -} - impl TryFrom<&str> for RpoDigest { type Error = HexParseError; @@ -311,8 +259,7 @@ impl Deserializable for RpoDigest { #[cfg(test)] mod tests { use super::{Deserializable, Felt, RpoDigest, Serializable, DIGEST_BYTES}; - use crate::utils::string::String; - use crate::{hash::rpo::DIGEST_SIZE, utils::SliceReader}; + use crate::utils::SliceReader; use rand_utils::rand_value; #[test] diff --git a/src/hash/rescue/rpo/mod.rs b/src/hash/rescue/rpo/mod.rs new file mode 100644 index 0000000..a708629 --- /dev/null +++ b/src/hash/rescue/rpo/mod.rs @@ -0,0 +1,324 @@ +use super::{ + add_constants, apply_inv_sbox, apply_mds, apply_sbox, + optimized_add_constants_and_apply_inv_sbox, optimized_add_constants_and_apply_sbox, Digest, + ElementHasher, Felt, FieldElement, Hasher, StarkField, ARK1, ARK2, BINARY_CHUNK_SIZE, + CAPACITY_RANGE, DIGEST_RANGE, DIGEST_SIZE, INPUT1_RANGE, INPUT2_RANGE, MDS, NUM_ROUNDS, ONE, + RATE_RANGE, RATE_WIDTH, STATE_WIDTH, ZERO, +}; +use core::{convert::TryInto, ops::Range}; + +mod digest; +pub use digest::RpoDigest; + +#[cfg(test)] +mod tests; + +// HASHER IMPLEMENTATION +// ================================================================================================ + +/// Implementation of the Rescue Prime Optimized hash function with 256-bit output. +/// +/// The hash function is implemented according to the Rescue Prime Optimized +/// [specifications](https://eprint.iacr.org/2022/1577) +/// +/// The parameters used to instantiate the function are: +/// * Field: 64-bit prime field with modulus 2^64 - 2^32 + 1. +/// * State width: 12 field elements. +/// * Capacity size: 4 field elements. +/// * Number of founds: 7. +/// * S-Box degree: 7. +/// +/// The above parameters target 128-bit security level. The digest consists of four field elements +/// and it can be serialized into 32 bytes (256 bits). +/// +/// ## Hash output consistency +/// Functions [hash_elements()](Rpo256::hash_elements), [merge()](Rpo256::merge), and +/// [merge_with_int()](Rpo256::merge_with_int) are internally consistent. That is, computing +/// a hash for the same set of elements using these functions will always produce the same +/// result. For example, merging two digests using [merge()](Rpo256::merge) will produce the +/// same result as hashing 8 elements which make up these digests using +/// [hash_elements()](Rpo256::hash_elements) function. +/// +/// However, [hash()](Rpo256::hash) function is not consistent with functions mentioned above. +/// For example, if we take two field elements, serialize them to bytes and hash them using +/// [hash()](Rpo256::hash), the result will differ from the result obtained by hashing these +/// elements directly using [hash_elements()](Rpo256::hash_elements) function. The reason for +/// this difference is that [hash()](Rpo256::hash) function needs to be able to handle +/// arbitrary binary strings, which may or may not encode valid field elements - and thus, +/// deserialization procedure used by this function is different from the procedure used to +/// deserialize valid field elements. +/// +/// Thus, if the underlying data consists of valid field elements, it might make more sense +/// to deserialize them into field elements and then hash them using +/// [hash_elements()](Rpo256::hash_elements) function rather then hashing the serialized bytes +/// using [hash()](Rpo256::hash) function. +#[derive(Debug, Copy, Clone, Eq, PartialEq)] +pub struct Rpo256(); + +impl Hasher for Rpo256 { + /// Rpo256 collision resistance is the same as the security level, that is 128-bits. + /// + /// #### Collision resistance + /// + /// However, our setup of the capacity registers might drop it to 126. + /// + /// Related issue: [#69](https://github.com/0xPolygonMiden/crypto/issues/69) + const COLLISION_RESISTANCE: u32 = 128; + + type Digest = RpoDigest; + + fn hash(bytes: &[u8]) -> Self::Digest { + // initialize the state with zeroes + let mut state = [ZERO; STATE_WIDTH]; + + // set the capacity (first element) to a flag on whether or not the input length is evenly + // divided by the rate. this will prevent collisions between padded and non-padded inputs, + // and will rule out the need to perform an extra permutation in case of evenly divided + // inputs. + let is_rate_multiple = bytes.len() % RATE_WIDTH == 0; + if !is_rate_multiple { + state[CAPACITY_RANGE.start] = ONE; + } + + // initialize a buffer to receive the little-endian elements. + let mut buf = [0_u8; 8]; + + // iterate the chunks of bytes, creating a field element from each chunk and copying it + // into the state. + // + // every time the rate range is filled, a permutation is performed. if the final value of + // `i` is not zero, then the chunks count wasn't enough to fill the state range, and an + // additional permutation must be performed. + let i = bytes.chunks(BINARY_CHUNK_SIZE).fold(0, |i, chunk| { + // the last element of the iteration may or may not be a full chunk. if it's not, then + // we need to pad the remainder bytes of the chunk with zeroes, separated by a `1`. + // this will avoid collisions. + if chunk.len() == BINARY_CHUNK_SIZE { + buf[..BINARY_CHUNK_SIZE].copy_from_slice(chunk); + } else { + buf.fill(0); + buf[..chunk.len()].copy_from_slice(chunk); + buf[chunk.len()] = 1; + } + + // set the current rate element to the input. since we take at most 7 bytes, we are + // guaranteed that the inputs data will fit into a single field element. + state[RATE_RANGE.start + i] = Felt::new(u64::from_le_bytes(buf)); + + // proceed filling the range. if it's full, then we apply a permutation and reset the + // counter to the beginning of the range. + if i == RATE_WIDTH - 1 { + Self::apply_permutation(&mut state); + 0 + } else { + i + 1 + } + }); + + // if we absorbed some elements but didn't apply a permutation to them (would happen when + // the number of elements is not a multiple of RATE_WIDTH), apply the RPO permutation. we + // don't need to apply any extra padding because the first capacity element containts a + // flag indicating whether the input is evenly divisible by the rate. + if i != 0 { + state[RATE_RANGE.start + i..RATE_RANGE.end].fill(ZERO); + state[RATE_RANGE.start + i] = ONE; + Self::apply_permutation(&mut state); + } + + // return the first 4 elements of the rate as hash result. + RpoDigest::new(state[DIGEST_RANGE].try_into().unwrap()) + } + + fn merge(values: &[Self::Digest; 2]) -> Self::Digest { + // initialize the state by copying the digest elements into the rate portion of the state + // (8 total elements), and set the capacity elements to 0. + let mut state = [ZERO; STATE_WIDTH]; + let it = Self::Digest::digests_as_elements(values.iter()); + for (i, v) in it.enumerate() { + state[RATE_RANGE.start + i] = *v; + } + + // apply the RPO permutation and return the first four elements of the state + Self::apply_permutation(&mut state); + RpoDigest::new(state[DIGEST_RANGE].try_into().unwrap()) + } + + fn merge_with_int(seed: Self::Digest, value: u64) -> Self::Digest { + // initialize the state as follows: + // - seed is copied into the first 4 elements of the rate portion of the state. + // - if the value fits into a single field element, copy it into the fifth rate element + // and set the sixth rate element to 1. + // - if the value doesn't fit into a single field element, split it into two field + // elements, copy them into rate elements 5 and 6, and set the seventh rate element + // to 1. + // - set the first capacity element to 1 + let mut state = [ZERO; STATE_WIDTH]; + state[INPUT1_RANGE].copy_from_slice(seed.as_elements()); + state[INPUT2_RANGE.start] = Felt::new(value); + if value < Felt::MODULUS { + state[INPUT2_RANGE.start + 1] = ONE; + } else { + state[INPUT2_RANGE.start + 1] = Felt::new(value / Felt::MODULUS); + state[INPUT2_RANGE.start + 2] = ONE; + } + + // common padding for both cases + state[CAPACITY_RANGE.start] = ONE; + + // apply the RPO permutation and return the first four elements of the state + Self::apply_permutation(&mut state); + RpoDigest::new(state[DIGEST_RANGE].try_into().unwrap()) + } +} + +impl ElementHasher for Rpo256 { + type BaseField = Felt; + + fn hash_elements>(elements: &[E]) -> Self::Digest { + // convert the elements into a list of base field elements + let elements = E::slice_as_base_elements(elements); + + // initialize state to all zeros, except for the first element of the capacity part, which + // is set to 1 if the number of elements is not a multiple of RATE_WIDTH. + let mut state = [ZERO; STATE_WIDTH]; + if elements.len() % RATE_WIDTH != 0 { + state[CAPACITY_RANGE.start] = ONE; + } + + // absorb elements into the state one by one until the rate portion of the state is filled + // up; then apply the Rescue permutation and start absorbing again; repeat until all + // elements have been absorbed + let mut i = 0; + for &element in elements.iter() { + state[RATE_RANGE.start + i] = element; + i += 1; + if i % RATE_WIDTH == 0 { + Self::apply_permutation(&mut state); + i = 0; + } + } + + // if we absorbed some elements but didn't apply a permutation to them (would happen when + // the number of elements is not a multiple of RATE_WIDTH), apply the RPO permutation after + // padding by appending a 1 followed by as many 0 as necessary to make the input length a + // multiple of the RATE_WIDTH. + if i > 0 { + state[RATE_RANGE.start + i] = ONE; + i += 1; + while i != RATE_WIDTH { + state[RATE_RANGE.start + i] = ZERO; + i += 1; + } + Self::apply_permutation(&mut state); + } + + // return the first 4 elements of the state as hash result + RpoDigest::new(state[DIGEST_RANGE].try_into().unwrap()) + } +} + +// HASH FUNCTION IMPLEMENTATION +// ================================================================================================ + +impl Rpo256 { + // CONSTANTS + // -------------------------------------------------------------------------------------------- + + /// The number of rounds is set to 7 to target 128-bit security level. + pub const NUM_ROUNDS: usize = NUM_ROUNDS; + + /// Sponge state is set to 12 field elements or 768 bytes; 8 elements are reserved for rate and + /// the remaining 4 elements are reserved for capacity. + pub const STATE_WIDTH: usize = STATE_WIDTH; + + /// The rate portion of the state is located in elements 4 through 11 (inclusive). + pub const RATE_RANGE: Range = RATE_RANGE; + + /// The capacity portion of the state is located in elements 0, 1, 2, and 3. + pub const CAPACITY_RANGE: Range = CAPACITY_RANGE; + + /// The output of the hash function can be read from state elements 4, 5, 6, and 7. + pub const DIGEST_RANGE: Range = DIGEST_RANGE; + + /// MDS matrix used for computing the linear layer in a RPO round. + pub const MDS: [[Felt; STATE_WIDTH]; STATE_WIDTH] = MDS; + + /// Round constants added to the hasher state in the first half of the RPO round. + pub const ARK1: [[Felt; STATE_WIDTH]; NUM_ROUNDS] = ARK1; + + /// Round constants added to the hasher state in the second half of the RPO round. + pub const ARK2: [[Felt; STATE_WIDTH]; NUM_ROUNDS] = ARK2; + + // TRAIT PASS-THROUGH FUNCTIONS + // -------------------------------------------------------------------------------------------- + + /// Returns a hash of the provided sequence of bytes. + #[inline(always)] + pub fn hash(bytes: &[u8]) -> RpoDigest { + ::hash(bytes) + } + + /// Returns a hash of two digests. This method is intended for use in construction of + /// Merkle trees and verification of Merkle paths. + #[inline(always)] + pub fn merge(values: &[RpoDigest; 2]) -> RpoDigest { + ::merge(values) + } + + /// Returns a hash of the provided field elements. + #[inline(always)] + pub fn hash_elements>(elements: &[E]) -> RpoDigest { + ::hash_elements(elements) + } + + // DOMAIN IDENTIFIER + // -------------------------------------------------------------------------------------------- + + /// Returns a hash of two digests and a domain identifier. + pub fn merge_in_domain(values: &[RpoDigest; 2], domain: Felt) -> RpoDigest { + // initialize the state by copying the digest elements into the rate portion of the state + // (8 total elements), and set the capacity elements to 0. + let mut state = [ZERO; STATE_WIDTH]; + let it = RpoDigest::digests_as_elements(values.iter()); + for (i, v) in it.enumerate() { + state[RATE_RANGE.start + i] = *v; + } + + // set the second capacity element to the domain value. The first capacity element is used + // for padding purposes. + state[CAPACITY_RANGE.start + 1] = domain; + + // apply the RPO permutation and return the first four elements of the state + Self::apply_permutation(&mut state); + RpoDigest::new(state[DIGEST_RANGE].try_into().unwrap()) + } + + // RESCUE PERMUTATION + // -------------------------------------------------------------------------------------------- + + /// Applies RPO permutation to the provided state. + #[inline(always)] + pub fn apply_permutation(state: &mut [Felt; STATE_WIDTH]) { + for i in 0..NUM_ROUNDS { + Self::apply_round(state, i); + } + } + + /// RPO round function. + #[inline(always)] + pub fn apply_round(state: &mut [Felt; STATE_WIDTH], round: usize) { + // apply first half of RPO round + apply_mds(state); + if !optimized_add_constants_and_apply_sbox(state, &ARK1[round]) { + add_constants(state, &ARK1[round]); + apply_sbox(state); + } + + // apply second half of RPO round + apply_mds(state); + if !optimized_add_constants_and_apply_inv_sbox(state, &ARK2[round]) { + add_constants(state, &ARK2[round]); + apply_inv_sbox(state); + } + } +} diff --git a/src/hash/rpo/tests.rs b/src/hash/rescue/rpo/tests.rs similarity index 96% rename from src/hash/rpo/tests.rs rename to src/hash/rescue/rpo/tests.rs index 3ca5a33..3dbdf4d 100644 --- a/src/hash/rpo/tests.rs +++ b/src/hash/rescue/rpo/tests.rs @@ -1,6 +1,6 @@ use super::{ - Felt, FieldElement, Hasher, Rpo256, RpoDigest, StarkField, ALPHA, INV_ALPHA, ONE, STATE_WIDTH, - ZERO, + super::{apply_inv_sbox, apply_sbox, ALPHA, INV_ALPHA}, + Felt, FieldElement, Hasher, Rpo256, RpoDigest, StarkField, ONE, STATE_WIDTH, ZERO, }; use crate::{ utils::collections::{BTreeSet, Vec}, @@ -10,13 +10,6 @@ use core::convert::TryInto; use proptest::prelude::*; use rand_utils::rand_value; -#[test] -fn test_alphas() { - let e: Felt = Felt::new(rand_value()); - let e_exp = e.exp(ALPHA); - assert_eq!(e, e_exp.exp(INV_ALPHA)); -} - #[test] fn test_sbox() { let state = [Felt::new(rand_value()); STATE_WIDTH]; @@ -25,7 +18,7 @@ fn test_sbox() { expected.iter_mut().for_each(|v| *v = v.exp(ALPHA)); let mut actual = state; - Rpo256::apply_sbox(&mut actual); + apply_sbox(&mut actual); assert_eq!(expected, actual); } @@ -38,7 +31,7 @@ fn test_inv_sbox() { expected.iter_mut().for_each(|v| *v = v.exp(INV_ALPHA)); let mut actual = state; - Rpo256::apply_inv_sbox(&mut actual); + apply_inv_sbox(&mut actual); assert_eq!(expected, actual); } diff --git a/src/hash/rescue/rpx/digest.rs b/src/hash/rescue/rpx/digest.rs new file mode 100644 index 0000000..26a9bee --- /dev/null +++ b/src/hash/rescue/rpx/digest.rs @@ -0,0 +1,299 @@ +use super::{Digest, Felt, StarkField, DIGEST_SIZE, ZERO}; +use crate::utils::{ + bytes_to_hex_string, hex_to_bytes, string::String, ByteReader, ByteWriter, Deserializable, + DeserializationError, HexParseError, Serializable, +}; +use core::{cmp::Ordering, fmt::Display, ops::Deref}; +use winter_utils::Randomizable; + +/// The number of bytes needed to encoded a digest +pub const DIGEST_BYTES: usize = 32; + +// DIGEST TRAIT IMPLEMENTATIONS +// ================================================================================================ + +#[derive(Debug, Default, Copy, Clone, Eq, PartialEq)] +#[cfg_attr(feature = "serde", derive(serde::Deserialize, serde::Serialize))] +#[cfg_attr(feature = "serde", serde(into = "String", try_from = "&str"))] +pub struct RpxDigest([Felt; DIGEST_SIZE]); + +impl RpxDigest { + pub const fn new(value: [Felt; DIGEST_SIZE]) -> Self { + Self(value) + } + + pub fn as_elements(&self) -> &[Felt] { + self.as_ref() + } + + pub fn as_bytes(&self) -> [u8; DIGEST_BYTES] { + ::as_bytes(self) + } + + pub fn digests_as_elements<'a, I>(digests: I) -> impl Iterator + where + I: Iterator, + { + digests.flat_map(|d| d.0.iter()) + } +} + +impl Digest for RpxDigest { + fn as_bytes(&self) -> [u8; DIGEST_BYTES] { + let mut result = [0; DIGEST_BYTES]; + + result[..8].copy_from_slice(&self.0[0].as_int().to_le_bytes()); + result[8..16].copy_from_slice(&self.0[1].as_int().to_le_bytes()); + result[16..24].copy_from_slice(&self.0[2].as_int().to_le_bytes()); + result[24..].copy_from_slice(&self.0[3].as_int().to_le_bytes()); + + result + } +} + +impl Deref for RpxDigest { + type Target = [Felt; DIGEST_SIZE]; + + fn deref(&self) -> &Self::Target { + &self.0 + } +} + +impl Ord for RpxDigest { + fn cmp(&self, other: &Self) -> Ordering { + // compare the inner u64 of both elements. + // + // it will iterate the elements and will return the first computation different than + // `Equal`. Otherwise, the ordering is equal. + // + // the endianness is irrelevant here because since, this being a cryptographically secure + // hash computation, the digest shouldn't have any ordered property of its input. + // + // finally, we use `Felt::inner` instead of `Felt::as_int` so we avoid performing a + // montgomery reduction for every limb. that is safe because every inner element of the + // digest is guaranteed to be in its canonical form (that is, `x in [0,p)`). + self.0.iter().map(Felt::inner).zip(other.0.iter().map(Felt::inner)).fold( + Ordering::Equal, + |ord, (a, b)| match ord { + Ordering::Equal => a.cmp(&b), + _ => ord, + }, + ) + } +} + +impl PartialOrd for RpxDigest { + fn partial_cmp(&self, other: &Self) -> Option { + Some(self.cmp(other)) + } +} + +impl Display for RpxDigest { + fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result { + let encoded: String = self.into(); + write!(f, "{}", encoded)?; + Ok(()) + } +} + +impl Randomizable for RpxDigest { + const VALUE_SIZE: usize = DIGEST_BYTES; + + fn from_random_bytes(bytes: &[u8]) -> Option { + let bytes_array: Option<[u8; 32]> = bytes.try_into().ok(); + if let Some(bytes_array) = bytes_array { + Self::try_from(bytes_array).ok() + } else { + None + } + } +} + +// CONVERSIONS: FROM RPX DIGEST +// ================================================================================================ + +impl From<&RpxDigest> for [Felt; DIGEST_SIZE] { + fn from(value: &RpxDigest) -> Self { + value.0 + } +} + +impl From for [Felt; DIGEST_SIZE] { + fn from(value: RpxDigest) -> Self { + value.0 + } +} + +impl From<&RpxDigest> for [u64; DIGEST_SIZE] { + fn from(value: &RpxDigest) -> Self { + [ + value.0[0].as_int(), + value.0[1].as_int(), + value.0[2].as_int(), + value.0[3].as_int(), + ] + } +} + +impl From for [u64; DIGEST_SIZE] { + fn from(value: RpxDigest) -> Self { + [ + value.0[0].as_int(), + value.0[1].as_int(), + value.0[2].as_int(), + value.0[3].as_int(), + ] + } +} + +impl From<&RpxDigest> for [u8; DIGEST_BYTES] { + fn from(value: &RpxDigest) -> Self { + value.as_bytes() + } +} + +impl From for [u8; DIGEST_BYTES] { + fn from(value: RpxDigest) -> Self { + value.as_bytes() + } +} + +impl From for String { + /// The returned string starts with `0x`. + fn from(value: RpxDigest) -> Self { + bytes_to_hex_string(value.as_bytes()) + } +} + +impl From<&RpxDigest> for String { + /// The returned string starts with `0x`. + fn from(value: &RpxDigest) -> Self { + (*value).into() + } +} + +// CONVERSIONS: TO RPX DIGEST +// ================================================================================================ + +impl From<[Felt; DIGEST_SIZE]> for RpxDigest { + fn from(value: [Felt; DIGEST_SIZE]) -> Self { + Self(value) + } +} + +impl TryFrom<[u8; DIGEST_BYTES]> for RpxDigest { + type Error = HexParseError; + + fn try_from(value: [u8; DIGEST_BYTES]) -> Result { + // Note: the input length is known, the conversion from slice to array must succeed so the + // `unwrap`s below are safe + let a = u64::from_le_bytes(value[0..8].try_into().unwrap()); + let b = u64::from_le_bytes(value[8..16].try_into().unwrap()); + let c = u64::from_le_bytes(value[16..24].try_into().unwrap()); + let d = u64::from_le_bytes(value[24..32].try_into().unwrap()); + + if [a, b, c, d].iter().any(|v| *v >= Felt::MODULUS) { + return Err(HexParseError::OutOfRange); + } + + Ok(RpxDigest([Felt::new(a), Felt::new(b), Felt::new(c), Felt::new(d)])) + } +} + +impl TryFrom<&str> for RpxDigest { + type Error = HexParseError; + + /// Expects the string to start with `0x`. + fn try_from(value: &str) -> Result { + hex_to_bytes(value).and_then(|v| v.try_into()) + } +} + +impl TryFrom for RpxDigest { + type Error = HexParseError; + + /// Expects the string to start with `0x`. + fn try_from(value: String) -> Result { + value.as_str().try_into() + } +} + +impl TryFrom<&String> for RpxDigest { + type Error = HexParseError; + + /// Expects the string to start with `0x`. + fn try_from(value: &String) -> Result { + value.as_str().try_into() + } +} + +// SERIALIZATION / DESERIALIZATION +// ================================================================================================ + +impl Serializable for RpxDigest { + fn write_into(&self, target: &mut W) { + target.write_bytes(&self.as_bytes()); + } +} + +impl Deserializable for RpxDigest { + fn read_from(source: &mut R) -> Result { + let mut inner: [Felt; DIGEST_SIZE] = [ZERO; DIGEST_SIZE]; + for inner in inner.iter_mut() { + let e = source.read_u64()?; + if e >= Felt::MODULUS { + return Err(DeserializationError::InvalidValue(String::from( + "Value not in the appropriate range", + ))); + } + *inner = Felt::new(e); + } + + Ok(Self(inner)) + } +} + +// TESTS +// ================================================================================================ + +#[cfg(test)] +mod tests { + use super::{Deserializable, Felt, RpxDigest, Serializable, DIGEST_BYTES}; + use crate::utils::SliceReader; + use rand_utils::rand_value; + + #[test] + fn digest_serialization() { + let e1 = Felt::new(rand_value()); + let e2 = Felt::new(rand_value()); + let e3 = Felt::new(rand_value()); + let e4 = Felt::new(rand_value()); + + let d1 = RpxDigest([e1, e2, e3, e4]); + + let mut bytes = vec![]; + d1.write_into(&mut bytes); + assert_eq!(DIGEST_BYTES, bytes.len()); + + let mut reader = SliceReader::new(&bytes); + let d2 = RpxDigest::read_from(&mut reader).unwrap(); + + assert_eq!(d1, d2); + } + + #[cfg(feature = "std")] + #[test] + fn digest_encoding() { + let digest = RpxDigest([ + Felt::new(rand_value()), + Felt::new(rand_value()), + Felt::new(rand_value()), + Felt::new(rand_value()), + ]); + + let string: String = digest.into(); + let round_trip: RpxDigest = string.try_into().expect("decoding failed"); + + assert_eq!(digest, round_trip); + } +} diff --git a/src/hash/rescue/rpx/mod.rs b/src/hash/rescue/rpx/mod.rs new file mode 100644 index 0000000..38161eb --- /dev/null +++ b/src/hash/rescue/rpx/mod.rs @@ -0,0 +1,379 @@ +use super::{ + add_constants, apply_inv_sbox, apply_mds, apply_sbox, + optimized_add_constants_and_apply_inv_sbox, optimized_add_constants_and_apply_sbox, + CubeExtension, Digest, ElementHasher, Felt, FieldElement, Hasher, StarkField, ARK1, ARK2, + BINARY_CHUNK_SIZE, CAPACITY_RANGE, DIGEST_RANGE, DIGEST_SIZE, INPUT1_RANGE, INPUT2_RANGE, MDS, + NUM_ROUNDS, ONE, RATE_RANGE, RATE_WIDTH, STATE_WIDTH, ZERO, +}; +use core::{convert::TryInto, ops::Range}; + +mod digest; +pub use digest::RpxDigest; + +#[cfg(all(target_feature = "sve", feature = "sve"))] +#[link(name = "rpo_sve", kind = "static")] +extern "C" { + fn add_constants_and_apply_sbox( + state: *mut std::ffi::c_ulong, + constants: *const std::ffi::c_ulong, + ) -> bool; + fn add_constants_and_apply_inv_sbox( + state: *mut std::ffi::c_ulong, + constants: *const std::ffi::c_ulong, + ) -> bool; +} + +pub type CubicExtElement = CubeExtension; + +// HASHER IMPLEMENTATION +// ================================================================================================ + +/// Implementation of the Rescue Prime eXtension hash function with 256-bit output. +/// +/// The hash function is based on the XHash12 construction in [specifications](https://eprint.iacr.org/2023/1045) +/// +/// The parameters used to instantiate the function are: +/// * Field: 64-bit prime field with modulus 2^64 - 2^32 + 1. +/// * State width: 12 field elements. +/// * Capacity size: 4 field elements. +/// * S-Box degree: 7. +/// * Rounds: There are 3 different types of rounds: +/// - (FB): `apply_mds` → `add_constants` → `apply_sbox` → `apply_mds` → `add_constants` → `apply_inv_sbox`. +/// - (E): `add_constants` → `ext_sbox` (which is raising to power 7 in the degree 3 extension field). +/// - (M): `apply_mds` → `add_constants`. +/// * Permutation: (FB) (E) (FB) (E) (FB) (E) (M). +/// +/// The above parameters target 128-bit security level. The digest consists of four field elements +/// and it can be serialized into 32 bytes (256 bits). +/// +/// ## Hash output consistency +/// Functions [hash_elements()](Rpx256::hash_elements), [merge()](Rpx256::merge), and +/// [merge_with_int()](Rpx256::merge_with_int) are internally consistent. That is, computing +/// a hash for the same set of elements using these functions will always produce the same +/// result. For example, merging two digests using [merge()](Rpx256::merge) will produce the +/// same result as hashing 8 elements which make up these digests using +/// [hash_elements()](Rpx256::hash_elements) function. +/// +/// However, [hash()](Rpx256::hash) function is not consistent with functions mentioned above. +/// For example, if we take two field elements, serialize them to bytes and hash them using +/// [hash()](Rpx256::hash), the result will differ from the result obtained by hashing these +/// elements directly using [hash_elements()](Rpx256::hash_elements) function. The reason for +/// this difference is that [hash()](Rpx256::hash) function needs to be able to handle +/// arbitrary binary strings, which may or may not encode valid field elements - and thus, +/// deserialization procedure used by this function is different from the procedure used to +/// deserialize valid field elements. +/// +/// Thus, if the underlying data consists of valid field elements, it might make more sense +/// to deserialize them into field elements and then hash them using +/// [hash_elements()](Rpx256::hash_elements) function rather then hashing the serialized bytes +/// using [hash()](Rpx256::hash) function. +#[derive(Debug, Copy, Clone, Eq, PartialEq)] +pub struct Rpx256(); + +impl Hasher for Rpx256 { + /// Rpx256 collision resistance is the same as the security level, that is 128-bits. + /// + /// #### Collision resistance + /// + /// However, our setup of the capacity registers might drop it to 126. + /// + /// Related issue: [#69](https://github.com/0xPolygonMiden/crypto/issues/69) + const COLLISION_RESISTANCE: u32 = 128; + + type Digest = RpxDigest; + + fn hash(bytes: &[u8]) -> Self::Digest { + // initialize the state with zeroes + let mut state = [ZERO; STATE_WIDTH]; + + // set the capacity (first element) to a flag on whether or not the input length is evenly + // divided by the rate. this will prevent collisions between padded and non-padded inputs, + // and will rule out the need to perform an extra permutation in case of evenly divided + // inputs. + let is_rate_multiple = bytes.len() % RATE_WIDTH == 0; + if !is_rate_multiple { + state[CAPACITY_RANGE.start] = ONE; + } + + // initialize a buffer to receive the little-endian elements. + let mut buf = [0_u8; 8]; + + // iterate the chunks of bytes, creating a field element from each chunk and copying it + // into the state. + // + // every time the rate range is filled, a permutation is performed. if the final value of + // `i` is not zero, then the chunks count wasn't enough to fill the state range, and an + // additional permutation must be performed. + let i = bytes.chunks(BINARY_CHUNK_SIZE).fold(0, |i, chunk| { + // the last element of the iteration may or may not be a full chunk. if it's not, then + // we need to pad the remainder bytes of the chunk with zeroes, separated by a `1`. + // this will avoid collisions. + if chunk.len() == BINARY_CHUNK_SIZE { + buf[..BINARY_CHUNK_SIZE].copy_from_slice(chunk); + } else { + buf.fill(0); + buf[..chunk.len()].copy_from_slice(chunk); + buf[chunk.len()] = 1; + } + + // set the current rate element to the input. since we take at most 7 bytes, we are + // guaranteed that the inputs data will fit into a single field element. + state[RATE_RANGE.start + i] = Felt::new(u64::from_le_bytes(buf)); + + // proceed filling the range. if it's full, then we apply a permutation and reset the + // counter to the beginning of the range. + if i == RATE_WIDTH - 1 { + Self::apply_permutation(&mut state); + 0 + } else { + i + 1 + } + }); + + // if we absorbed some elements but didn't apply a permutation to them (would happen when + // the number of elements is not a multiple of RATE_WIDTH), apply the RPX permutation. we + // don't need to apply any extra padding because the first capacity element containts a + // flag indicating whether the input is evenly divisible by the rate. + if i != 0 { + state[RATE_RANGE.start + i..RATE_RANGE.end].fill(ZERO); + state[RATE_RANGE.start + i] = ONE; + Self::apply_permutation(&mut state); + } + + // return the first 4 elements of the rate as hash result. + RpxDigest::new(state[DIGEST_RANGE].try_into().unwrap()) + } + + fn merge(values: &[Self::Digest; 2]) -> Self::Digest { + // initialize the state by copying the digest elements into the rate portion of the state + // (8 total elements), and set the capacity elements to 0. + let mut state = [ZERO; STATE_WIDTH]; + let it = Self::Digest::digests_as_elements(values.iter()); + for (i, v) in it.enumerate() { + state[RATE_RANGE.start + i] = *v; + } + + // apply the RPX permutation and return the first four elements of the state + Self::apply_permutation(&mut state); + RpxDigest::new(state[DIGEST_RANGE].try_into().unwrap()) + } + + fn merge_with_int(seed: Self::Digest, value: u64) -> Self::Digest { + // initialize the state as follows: + // - seed is copied into the first 4 elements of the rate portion of the state. + // - if the value fits into a single field element, copy it into the fifth rate element + // and set the sixth rate element to 1. + // - if the value doesn't fit into a single field element, split it into two field + // elements, copy them into rate elements 5 and 6, and set the seventh rate element + // to 1. + // - set the first capacity element to 1 + let mut state = [ZERO; STATE_WIDTH]; + state[INPUT1_RANGE].copy_from_slice(seed.as_elements()); + state[INPUT2_RANGE.start] = Felt::new(value); + if value < Felt::MODULUS { + state[INPUT2_RANGE.start + 1] = ONE; + } else { + state[INPUT2_RANGE.start + 1] = Felt::new(value / Felt::MODULUS); + state[INPUT2_RANGE.start + 2] = ONE; + } + + // common padding for both cases + state[CAPACITY_RANGE.start] = ONE; + + // apply the RPX permutation and return the first four elements of the state + Self::apply_permutation(&mut state); + RpxDigest::new(state[DIGEST_RANGE].try_into().unwrap()) + } +} + +impl ElementHasher for Rpx256 { + type BaseField = Felt; + + fn hash_elements>(elements: &[E]) -> Self::Digest { + // convert the elements into a list of base field elements + let elements = E::slice_as_base_elements(elements); + + // initialize state to all zeros, except for the first element of the capacity part, which + // is set to 1 if the number of elements is not a multiple of RATE_WIDTH. + let mut state = [ZERO; STATE_WIDTH]; + if elements.len() % RATE_WIDTH != 0 { + state[CAPACITY_RANGE.start] = ONE; + } + + // absorb elements into the state one by one until the rate portion of the state is filled + // up; then apply the Rescue permutation and start absorbing again; repeat until all + // elements have been absorbed + let mut i = 0; + for &element in elements.iter() { + state[RATE_RANGE.start + i] = element; + i += 1; + if i % RATE_WIDTH == 0 { + Self::apply_permutation(&mut state); + i = 0; + } + } + + // if we absorbed some elements but didn't apply a permutation to them (would happen when + // the number of elements is not a multiple of RATE_WIDTH), apply the RPX permutation after + // padding by appending a 1 followed by as many 0 as necessary to make the input length a + // multiple of the RATE_WIDTH. + if i > 0 { + state[RATE_RANGE.start + i] = ONE; + i += 1; + while i != RATE_WIDTH { + state[RATE_RANGE.start + i] = ZERO; + i += 1; + } + Self::apply_permutation(&mut state); + } + + // return the first 4 elements of the state as hash result + RpxDigest::new(state[DIGEST_RANGE].try_into().unwrap()) + } +} + +// HASH FUNCTION IMPLEMENTATION +// ================================================================================================ + +impl Rpx256 { + // CONSTANTS + // -------------------------------------------------------------------------------------------- + + /// Sponge state is set to 12 field elements or 768 bytes; 8 elements are reserved for rate and + /// the remaining 4 elements are reserved for capacity. + pub const STATE_WIDTH: usize = STATE_WIDTH; + + /// The rate portion of the state is located in elements 4 through 11 (inclusive). + pub const RATE_RANGE: Range = RATE_RANGE; + + /// The capacity portion of the state is located in elements 0, 1, 2, and 3. + pub const CAPACITY_RANGE: Range = CAPACITY_RANGE; + + /// The output of the hash function can be read from state elements 4, 5, 6, and 7. + pub const DIGEST_RANGE: Range = DIGEST_RANGE; + + /// MDS matrix used for computing the linear layer in the (FB) and (E) rounds. + pub const MDS: [[Felt; STATE_WIDTH]; STATE_WIDTH] = MDS; + + /// Round constants added to the hasher state in the first half of the round. + pub const ARK1: [[Felt; STATE_WIDTH]; NUM_ROUNDS] = ARK1; + + /// Round constants added to the hasher state in the second half of the round. + pub const ARK2: [[Felt; STATE_WIDTH]; NUM_ROUNDS] = ARK2; + + // TRAIT PASS-THROUGH FUNCTIONS + // -------------------------------------------------------------------------------------------- + + /// Returns a hash of the provided sequence of bytes. + #[inline(always)] + pub fn hash(bytes: &[u8]) -> RpxDigest { + ::hash(bytes) + } + + /// Returns a hash of two digests. This method is intended for use in construction of + /// Merkle trees and verification of Merkle paths. + #[inline(always)] + pub fn merge(values: &[RpxDigest; 2]) -> RpxDigest { + ::merge(values) + } + + /// Returns a hash of the provided field elements. + #[inline(always)] + pub fn hash_elements>(elements: &[E]) -> RpxDigest { + ::hash_elements(elements) + } + + // DOMAIN IDENTIFIER + // -------------------------------------------------------------------------------------------- + + /// Returns a hash of two digests and a domain identifier. + pub fn merge_in_domain(values: &[RpxDigest; 2], domain: Felt) -> RpxDigest { + // initialize the state by copying the digest elements into the rate portion of the state + // (8 total elements), and set the capacity elements to 0. + let mut state = [ZERO; STATE_WIDTH]; + let it = RpxDigest::digests_as_elements(values.iter()); + for (i, v) in it.enumerate() { + state[RATE_RANGE.start + i] = *v; + } + + // set the second capacity element to the domain value. The first capacity element is used + // for padding purposes. + state[CAPACITY_RANGE.start + 1] = domain; + + // apply the RPX permutation and return the first four elements of the state + Self::apply_permutation(&mut state); + RpxDigest::new(state[DIGEST_RANGE].try_into().unwrap()) + } + + // RPX PERMUTATION + // -------------------------------------------------------------------------------------------- + + /// Applies RPX permutation to the provided state. + #[inline(always)] + pub fn apply_permutation(state: &mut [Felt; STATE_WIDTH]) { + Self::apply_fb_round(state, 0); + Self::apply_ext_round(state, 1); + Self::apply_fb_round(state, 2); + Self::apply_ext_round(state, 3); + Self::apply_fb_round(state, 4); + Self::apply_ext_round(state, 5); + Self::apply_final_round(state, 6); + } + + // RPX PERMUTATION ROUND FUNCTIONS + // -------------------------------------------------------------------------------------------- + + /// (FB) round function. + #[inline(always)] + pub fn apply_fb_round(state: &mut [Felt; STATE_WIDTH], round: usize) { + apply_mds(state); + if !optimized_add_constants_and_apply_sbox(state, &ARK1[round]) { + add_constants(state, &ARK1[round]); + apply_sbox(state); + } + + apply_mds(state); + if !optimized_add_constants_and_apply_inv_sbox(state, &ARK2[round]) { + add_constants(state, &ARK2[round]); + apply_inv_sbox(state); + } + } + + /// (E) round function. + #[inline(always)] + pub fn apply_ext_round(state: &mut [Felt; STATE_WIDTH], round: usize) { + // add constants + add_constants(state, &ARK1[round]); + + // decompose the state into 4 elements in the cubic extension field and apply the power 7 + // map to each of the elements + let [s0, s1, s2, s3, s4, s5, s6, s7, s8, s9, s10, s11] = *state; + let ext0 = Self::exp7(CubicExtElement::new(s0, s1, s2)); + let ext1 = Self::exp7(CubicExtElement::new(s3, s4, s5)); + let ext2 = Self::exp7(CubicExtElement::new(s6, s7, s8)); + let ext3 = Self::exp7(CubicExtElement::new(s9, s10, s11)); + + // decompose the state back into 12 base field elements + let arr_ext = [ext0, ext1, ext2, ext3]; + *state = CubicExtElement::slice_as_base_elements(&arr_ext) + .try_into() + .expect("shouldn't fail"); + } + + /// (M) round function. + #[inline(always)] + pub fn apply_final_round(state: &mut [Felt; STATE_WIDTH], round: usize) { + apply_mds(state); + add_constants(state, &ARK1[round]); + } + + /// Computes an exponentiation to the power 7 in cubic extension field + #[inline(always)] + pub fn exp7(x: CubeExtension) -> CubeExtension { + let x2 = x.square(); + let x4 = x2.square(); + + let x3 = x2 * x; + x3 * x4 + } +} diff --git a/src/hash/rescue/tests.rs b/src/hash/rescue/tests.rs new file mode 100644 index 0000000..f0669e9 --- /dev/null +++ b/src/hash/rescue/tests.rs @@ -0,0 +1,9 @@ +use super::{Felt, FieldElement, ALPHA, INV_ALPHA}; +use rand_utils::rand_value; + +#[test] +fn test_alphas() { + let e: Felt = Felt::new(rand_value()); + let e_exp = e.exp(ALPHA); + assert_eq!(e, e_exp.exp(INV_ALPHA)); +} diff --git a/src/hash/rpo/mod.rs b/src/hash/rpo/mod.rs deleted file mode 100644 index 7dbef20..0000000 --- a/src/hash/rpo/mod.rs +++ /dev/null @@ -1,905 +0,0 @@ -use super::{Digest, ElementHasher, Felt, FieldElement, Hasher, StarkField, ONE, ZERO}; -use core::{convert::TryInto, ops::Range}; - -mod digest; -pub use digest::RpoDigest; - -mod mds_freq; -use mds_freq::mds_multiply_freq; - -#[cfg(test)] -mod tests; - -#[cfg(all(target_feature = "sve", feature = "sve"))] -#[link(name = "rpo_sve", kind = "static")] -extern "C" { - fn add_constants_and_apply_sbox( - state: *mut std::ffi::c_ulong, - constants: *const std::ffi::c_ulong, - ) -> bool; - fn add_constants_and_apply_inv_sbox( - state: *mut std::ffi::c_ulong, - constants: *const std::ffi::c_ulong, - ) -> bool; -} - -// CONSTANTS -// ================================================================================================ - -/// Sponge state is set to 12 field elements or 96 bytes; 8 elements are reserved for rate and -/// the remaining 4 elements are reserved for capacity. -const STATE_WIDTH: usize = 12; - -/// The rate portion of the state is located in elements 4 through 11. -const RATE_RANGE: Range = 4..12; -const RATE_WIDTH: usize = RATE_RANGE.end - RATE_RANGE.start; - -const INPUT1_RANGE: Range = 4..8; -const INPUT2_RANGE: Range = 8..12; - -/// The capacity portion of the state is located in elements 0, 1, 2, and 3. -const CAPACITY_RANGE: Range = 0..4; - -/// The output of the hash function is a digest which consists of 4 field elements or 32 bytes. -/// -/// The digest is returned from state elements 4, 5, 6, and 7 (the first four elements of the -/// rate portion). -const DIGEST_RANGE: Range = 4..8; -const DIGEST_SIZE: usize = DIGEST_RANGE.end - DIGEST_RANGE.start; - -/// The number of rounds is set to 7 to target 128-bit security level -const NUM_ROUNDS: usize = 7; - -/// The number of byte chunks defining a field element when hashing a sequence of bytes -const BINARY_CHUNK_SIZE: usize = 7; - -/// S-Box and Inverse S-Box powers; -/// -/// The constants are defined for tests only because the exponentiations in the code are unrolled -/// for efficiency reasons. -#[cfg(test)] -const ALPHA: u64 = 7; -#[cfg(test)] -const INV_ALPHA: u64 = 10540996611094048183; - -// HASHER IMPLEMENTATION -// ================================================================================================ - -/// Implementation of the Rescue Prime Optimized hash function with 256-bit output. -/// -/// The hash function is implemented according to the Rescue Prime Optimized -/// [specifications](https://eprint.iacr.org/2022/1577) -/// -/// The parameters used to instantiate the function are: -/// * Field: 64-bit prime field with modulus 2^64 - 2^32 + 1. -/// * State width: 12 field elements. -/// * Capacity size: 4 field elements. -/// * Number of founds: 7. -/// * S-Box degree: 7. -/// -/// The above parameters target 128-bit security level. The digest consists of four field elements -/// and it can be serialized into 32 bytes (256 bits). -/// -/// ## Hash output consistency -/// Functions [hash_elements()](Rpo256::hash_elements), [merge()](Rpo256::merge), and -/// [merge_with_int()](Rpo256::merge_with_int) are internally consistent. That is, computing -/// a hash for the same set of elements using these functions will always produce the same -/// result. For example, merging two digests using [merge()](Rpo256::merge) will produce the -/// same result as hashing 8 elements which make up these digests using -/// [hash_elements()](Rpo256::hash_elements) function. -/// -/// However, [hash()](Rpo256::hash) function is not consistent with functions mentioned above. -/// For example, if we take two field elements, serialize them to bytes and hash them using -/// [hash()](Rpo256::hash), the result will differ from the result obtained by hashing these -/// elements directly using [hash_elements()](Rpo256::hash_elements) function. The reason for -/// this difference is that [hash()](Rpo256::hash) function needs to be able to handle -/// arbitrary binary strings, which may or may not encode valid field elements - and thus, -/// deserialization procedure used by this function is different from the procedure used to -/// deserialize valid field elements. -/// -/// Thus, if the underlying data consists of valid field elements, it might make more sense -/// to deserialize them into field elements and then hash them using -/// [hash_elements()](Rpo256::hash_elements) function rather then hashing the serialized bytes -/// using [hash()](Rpo256::hash) function. -#[derive(Debug, Copy, Clone, Eq, PartialEq)] -pub struct Rpo256(); - -impl Hasher for Rpo256 { - /// Rpo256 collision resistance is the same as the security level, that is 128-bits. - /// - /// #### Collision resistance - /// - /// However, our setup of the capacity registers might drop it to 126. - /// - /// Related issue: [#69](https://github.com/0xPolygonMiden/crypto/issues/69) - const COLLISION_RESISTANCE: u32 = 128; - - type Digest = RpoDigest; - - fn hash(bytes: &[u8]) -> Self::Digest { - // initialize the state with zeroes - let mut state = [ZERO; STATE_WIDTH]; - - // set the capacity (first element) to a flag on whether or not the input length is evenly - // divided by the rate. this will prevent collisions between padded and non-padded inputs, - // and will rule out the need to perform an extra permutation in case of evenly divided - // inputs. - let is_rate_multiple = bytes.len() % RATE_WIDTH == 0; - if !is_rate_multiple { - state[CAPACITY_RANGE.start] = ONE; - } - - // initialize a buffer to receive the little-endian elements. - let mut buf = [0_u8; 8]; - - // iterate the chunks of bytes, creating a field element from each chunk and copying it - // into the state. - // - // every time the rate range is filled, a permutation is performed. if the final value of - // `i` is not zero, then the chunks count wasn't enough to fill the state range, and an - // additional permutation must be performed. - let i = bytes.chunks(BINARY_CHUNK_SIZE).fold(0, |i, chunk| { - // the last element of the iteration may or may not be a full chunk. if it's not, then - // we need to pad the remainder bytes of the chunk with zeroes, separated by a `1`. - // this will avoid collisions. - if chunk.len() == BINARY_CHUNK_SIZE { - buf[..BINARY_CHUNK_SIZE].copy_from_slice(chunk); - } else { - buf.fill(0); - buf[..chunk.len()].copy_from_slice(chunk); - buf[chunk.len()] = 1; - } - - // set the current rate element to the input. since we take at most 7 bytes, we are - // guaranteed that the inputs data will fit into a single field element. - state[RATE_RANGE.start + i] = Felt::new(u64::from_le_bytes(buf)); - - // proceed filling the range. if it's full, then we apply a permutation and reset the - // counter to the beginning of the range. - if i == RATE_WIDTH - 1 { - Self::apply_permutation(&mut state); - 0 - } else { - i + 1 - } - }); - - // if we absorbed some elements but didn't apply a permutation to them (would happen when - // the number of elements is not a multiple of RATE_WIDTH), apply the RPO permutation. we - // don't need to apply any extra padding because the first capacity element contains a - // flag indicating whether the input is evenly divisible by the rate. - if i != 0 { - state[RATE_RANGE.start + i..RATE_RANGE.end].fill(ZERO); - state[RATE_RANGE.start + i] = ONE; - Self::apply_permutation(&mut state); - } - - // return the first 4 elements of the rate as hash result. - RpoDigest::new(state[DIGEST_RANGE].try_into().unwrap()) - } - - fn merge(values: &[Self::Digest; 2]) -> Self::Digest { - // initialize the state by copying the digest elements into the rate portion of the state - // (8 total elements), and set the capacity elements to 0. - let mut state = [ZERO; STATE_WIDTH]; - let it = Self::Digest::digests_as_elements(values.iter()); - for (i, v) in it.enumerate() { - state[RATE_RANGE.start + i] = *v; - } - - // apply the RPO permutation and return the first four elements of the state - Self::apply_permutation(&mut state); - RpoDigest::new(state[DIGEST_RANGE].try_into().unwrap()) - } - - fn merge_with_int(seed: Self::Digest, value: u64) -> Self::Digest { - // initialize the state as follows: - // - seed is copied into the first 4 elements of the rate portion of the state. - // - if the value fits into a single field element, copy it into the fifth rate element - // and set the sixth rate element to 1. - // - if the value doesn't fit into a single field element, split it into two field - // elements, copy them into rate elements 5 and 6, and set the seventh rate element - // to 1. - // - set the first capacity element to 1 - let mut state = [ZERO; STATE_WIDTH]; - state[INPUT1_RANGE].copy_from_slice(seed.as_elements()); - state[INPUT2_RANGE.start] = Felt::new(value); - if value < Felt::MODULUS { - state[INPUT2_RANGE.start + 1] = ONE; - } else { - state[INPUT2_RANGE.start + 1] = Felt::new(value / Felt::MODULUS); - state[INPUT2_RANGE.start + 2] = ONE; - } - - // common padding for both cases - state[CAPACITY_RANGE.start] = ONE; - - // apply the RPO permutation and return the first four elements of the state - Self::apply_permutation(&mut state); - RpoDigest::new(state[DIGEST_RANGE].try_into().unwrap()) - } -} - -impl ElementHasher for Rpo256 { - type BaseField = Felt; - - fn hash_elements>(elements: &[E]) -> Self::Digest { - // convert the elements into a list of base field elements - let elements = E::slice_as_base_elements(elements); - - // initialize state to all zeros, except for the first element of the capacity part, which - // is set to 1 if the number of elements is not a multiple of RATE_WIDTH. - let mut state = [ZERO; STATE_WIDTH]; - if elements.len() % RATE_WIDTH != 0 { - state[CAPACITY_RANGE.start] = ONE; - } - - // absorb elements into the state one by one until the rate portion of the state is filled - // up; then apply the Rescue permutation and start absorbing again; repeat until all - // elements have been absorbed - let mut i = 0; - for &element in elements.iter() { - state[RATE_RANGE.start + i] = element; - i += 1; - if i % RATE_WIDTH == 0 { - Self::apply_permutation(&mut state); - i = 0; - } - } - - // if we absorbed some elements but didn't apply a permutation to them (would happen when - // the number of elements is not a multiple of RATE_WIDTH), apply the RPO permutation after - // padding by appending a 1 followed by as many 0 as necessary to make the input length a - // multiple of the RATE_WIDTH. - if i > 0 { - state[RATE_RANGE.start + i] = ONE; - i += 1; - while i != RATE_WIDTH { - state[RATE_RANGE.start + i] = ZERO; - i += 1; - } - Self::apply_permutation(&mut state); - } - - // return the first 4 elements of the state as hash result - RpoDigest::new(state[DIGEST_RANGE].try_into().unwrap()) - } -} - -// HASH FUNCTION IMPLEMENTATION -// ================================================================================================ - -impl Rpo256 { - // CONSTANTS - // -------------------------------------------------------------------------------------------- - - /// The number of rounds is set to 7 to target 128-bit security level. - pub const NUM_ROUNDS: usize = NUM_ROUNDS; - - /// Sponge state is set to 12 field elements or 768 bytes; 8 elements are reserved for rate and - /// the remaining 4 elements are reserved for capacity. - pub const STATE_WIDTH: usize = STATE_WIDTH; - - /// The rate portion of the state is located in elements 4 through 11 (inclusive). - pub const RATE_RANGE: Range = RATE_RANGE; - - /// The capacity portion of the state is located in elements 0, 1, 2, and 3. - pub const CAPACITY_RANGE: Range = CAPACITY_RANGE; - - /// The output of the hash function can be read from state elements 4, 5, 6, and 7. - pub const DIGEST_RANGE: Range = DIGEST_RANGE; - - /// MDS matrix used for computing the linear layer in a RPO round. - pub const MDS: [[Felt; STATE_WIDTH]; STATE_WIDTH] = MDS; - - /// Round constants added to the hasher state in the first half of the RPO round. - pub const ARK1: [[Felt; STATE_WIDTH]; NUM_ROUNDS] = ARK1; - - /// Round constants added to the hasher state in the second half of the RPO round. - pub const ARK2: [[Felt; STATE_WIDTH]; NUM_ROUNDS] = ARK2; - - // TRAIT PASS-THROUGH FUNCTIONS - // -------------------------------------------------------------------------------------------- - - /// Returns a hash of the provided sequence of bytes. - #[inline(always)] - pub fn hash(bytes: &[u8]) -> RpoDigest { - ::hash(bytes) - } - - /// Returns a hash of two digests. This method is intended for use in construction of - /// Merkle trees and verification of Merkle paths. - #[inline(always)] - pub fn merge(values: &[RpoDigest; 2]) -> RpoDigest { - ::merge(values) - } - - /// Returns a hash of the provided field elements. - #[inline(always)] - pub fn hash_elements>(elements: &[E]) -> RpoDigest { - ::hash_elements(elements) - } - - // DOMAIN IDENTIFIER - // -------------------------------------------------------------------------------------------- - - /// Returns a hash of two digests and a domain identifier. - pub fn merge_in_domain(values: &[RpoDigest; 2], domain: Felt) -> RpoDigest { - // initialize the state by copying the digest elements into the rate portion of the state - // (8 total elements), and set the capacity elements to 0. - let mut state = [ZERO; STATE_WIDTH]; - let it = RpoDigest::digests_as_elements(values.iter()); - for (i, v) in it.enumerate() { - state[RATE_RANGE.start + i] = *v; - } - - // set the second capacity element to the domain value. The first capacity element is used - // for padding purposes. - state[CAPACITY_RANGE.start + 1] = domain; - - // apply the RPO permutation and return the first four elements of the state - Self::apply_permutation(&mut state); - RpoDigest::new(state[DIGEST_RANGE].try_into().unwrap()) - } - - // RESCUE PERMUTATION - // -------------------------------------------------------------------------------------------- - - /// Applies RPO permutation to the provided state. - #[inline(always)] - pub fn apply_permutation(state: &mut [Felt; STATE_WIDTH]) { - for i in 0..NUM_ROUNDS { - Self::apply_round(state, i); - } - } - - /// RPO round function. - #[inline(always)] - pub fn apply_round(state: &mut [Felt; STATE_WIDTH], round: usize) { - // apply first half of RPO round - Self::apply_mds(state); - if !Self::optimized_add_constants_and_apply_sbox(state, &ARK1[round]) { - Self::add_constants(state, &ARK1[round]); - Self::apply_sbox(state); - } - - // apply second half of RPO round - Self::apply_mds(state); - if !Self::optimized_add_constants_and_apply_inv_sbox(state, &ARK2[round]) { - Self::add_constants(state, &ARK2[round]); - Self::apply_inv_sbox(state); - } - } - - // HELPER FUNCTIONS - // -------------------------------------------------------------------------------------------- - - #[inline(always)] - #[cfg(all(target_feature = "sve", feature = "sve"))] - fn optimized_add_constants_and_apply_sbox( - state: &mut [Felt; STATE_WIDTH], - ark: &[Felt; STATE_WIDTH], - ) -> bool { - unsafe { - add_constants_and_apply_sbox(state.as_mut_ptr() as *mut u64, ark.as_ptr() as *const u64) - } - } - - #[inline(always)] - #[cfg(not(all(target_feature = "sve", feature = "sve")))] - fn optimized_add_constants_and_apply_sbox( - _state: &mut [Felt; STATE_WIDTH], - _ark: &[Felt; STATE_WIDTH], - ) -> bool { - false - } - - #[inline(always)] - #[cfg(all(target_feature = "sve", feature = "sve"))] - fn optimized_add_constants_and_apply_inv_sbox( - state: &mut [Felt; STATE_WIDTH], - ark: &[Felt; STATE_WIDTH], - ) -> bool { - unsafe { - add_constants_and_apply_inv_sbox( - state.as_mut_ptr() as *mut u64, - ark.as_ptr() as *const u64, - ) - } - } - - #[inline(always)] - #[cfg(not(all(target_feature = "sve", feature = "sve")))] - fn optimized_add_constants_and_apply_inv_sbox( - _state: &mut [Felt; STATE_WIDTH], - _ark: &[Felt; STATE_WIDTH], - ) -> bool { - false - } - - #[inline(always)] - fn apply_mds(state: &mut [Felt; STATE_WIDTH]) { - let mut result = [ZERO; STATE_WIDTH]; - - // Using the linearity of the operations we can split the state into a low||high decomposition - // and operate on each with no overflow and then combine/reduce the result to a field element. - // The no overflow is guaranteed by the fact that the MDS matrix is a small powers of two in - // frequency domain. - let mut state_l = [0u64; STATE_WIDTH]; - let mut state_h = [0u64; STATE_WIDTH]; - - for r in 0..STATE_WIDTH { - let s = state[r].inner(); - state_h[r] = s >> 32; - state_l[r] = (s as u32) as u64; - } - - let state_h = mds_multiply_freq(state_h); - let state_l = mds_multiply_freq(state_l); - - for r in 0..STATE_WIDTH { - let s = state_l[r] as u128 + ((state_h[r] as u128) << 32); - let s_hi = (s >> 64) as u64; - let s_lo = s as u64; - let z = (s_hi << 32) - s_hi; - let (res, over) = s_lo.overflowing_add(z); - - result[r] = Felt::from_mont(res.wrapping_add(0u32.wrapping_sub(over as u32) as u64)); - } - *state = result; - } - - #[inline(always)] - fn add_constants(state: &mut [Felt; STATE_WIDTH], ark: &[Felt; STATE_WIDTH]) { - state.iter_mut().zip(ark).for_each(|(s, &k)| *s += k); - } - - #[inline(always)] - fn apply_sbox(state: &mut [Felt; STATE_WIDTH]) { - state[0] = state[0].exp7(); - state[1] = state[1].exp7(); - state[2] = state[2].exp7(); - state[3] = state[3].exp7(); - state[4] = state[4].exp7(); - state[5] = state[5].exp7(); - state[6] = state[6].exp7(); - state[7] = state[7].exp7(); - state[8] = state[8].exp7(); - state[9] = state[9].exp7(); - state[10] = state[10].exp7(); - state[11] = state[11].exp7(); - } - - #[inline(always)] - fn apply_inv_sbox(state: &mut [Felt; STATE_WIDTH]) { - // compute base^10540996611094048183 using 72 multiplications per array element - // 10540996611094048183 = b1001001001001001001001001001000110110110110110110110110110110111 - - // compute base^10 - let mut t1 = *state; - t1.iter_mut().for_each(|t| *t = t.square()); - - // compute base^100 - let mut t2 = t1; - t2.iter_mut().for_each(|t| *t = t.square()); - - // compute base^100100 - let t3 = Self::exp_acc::(t2, t2); - - // compute base^100100100100 - let t4 = Self::exp_acc::(t3, t3); - - // compute base^100100100100100100100100 - let t5 = Self::exp_acc::(t4, t4); - - // compute base^100100100100100100100100100100 - let t6 = Self::exp_acc::(t5, t3); - - // compute base^1001001001001001001001001001000100100100100100100100100100100 - let t7 = Self::exp_acc::(t6, t6); - - // compute base^1001001001001001001001001001000110110110110110110110110110110111 - for (i, s) in state.iter_mut().enumerate() { - let a = (t7[i].square() * t6[i]).square().square(); - let b = t1[i] * t2[i] * *s; - *s = a * b; - } - } - - #[inline(always)] - fn exp_acc( - base: [B; N], - tail: [B; N], - ) -> [B; N] { - let mut result = base; - for _ in 0..M { - result.iter_mut().for_each(|r| *r = r.square()); - } - result.iter_mut().zip(tail).for_each(|(r, t)| *r *= t); - result - } -} - -// MDS -// ================================================================================================ -/// RPO MDS matrix -const MDS: [[Felt; STATE_WIDTH]; STATE_WIDTH] = [ - [ - Felt::new(7), - Felt::new(23), - Felt::new(8), - Felt::new(26), - Felt::new(13), - Felt::new(10), - Felt::new(9), - Felt::new(7), - Felt::new(6), - Felt::new(22), - Felt::new(21), - Felt::new(8), - ], - [ - Felt::new(8), - Felt::new(7), - Felt::new(23), - Felt::new(8), - Felt::new(26), - Felt::new(13), - Felt::new(10), - Felt::new(9), - Felt::new(7), - Felt::new(6), - Felt::new(22), - Felt::new(21), - ], - [ - Felt::new(21), - Felt::new(8), - Felt::new(7), - Felt::new(23), - Felt::new(8), - Felt::new(26), - Felt::new(13), - Felt::new(10), - Felt::new(9), - Felt::new(7), - Felt::new(6), - Felt::new(22), - ], - [ - Felt::new(22), - Felt::new(21), - Felt::new(8), - Felt::new(7), - Felt::new(23), - Felt::new(8), - Felt::new(26), - Felt::new(13), - Felt::new(10), - Felt::new(9), - Felt::new(7), - Felt::new(6), - ], - [ - Felt::new(6), - Felt::new(22), - Felt::new(21), - Felt::new(8), - Felt::new(7), - Felt::new(23), - Felt::new(8), - Felt::new(26), - Felt::new(13), - Felt::new(10), - Felt::new(9), - Felt::new(7), - ], - [ - Felt::new(7), - Felt::new(6), - Felt::new(22), - Felt::new(21), - Felt::new(8), - Felt::new(7), - Felt::new(23), - Felt::new(8), - Felt::new(26), - Felt::new(13), - Felt::new(10), - Felt::new(9), - ], - [ - Felt::new(9), - Felt::new(7), - Felt::new(6), - Felt::new(22), - Felt::new(21), - Felt::new(8), - Felt::new(7), - Felt::new(23), - Felt::new(8), - Felt::new(26), - Felt::new(13), - Felt::new(10), - ], - [ - Felt::new(10), - Felt::new(9), - Felt::new(7), - Felt::new(6), - Felt::new(22), - Felt::new(21), - Felt::new(8), - Felt::new(7), - Felt::new(23), - Felt::new(8), - Felt::new(26), - Felt::new(13), - ], - [ - Felt::new(13), - Felt::new(10), - Felt::new(9), - Felt::new(7), - Felt::new(6), - Felt::new(22), - Felt::new(21), - Felt::new(8), - Felt::new(7), - Felt::new(23), - Felt::new(8), - Felt::new(26), - ], - [ - Felt::new(26), - Felt::new(13), - Felt::new(10), - Felt::new(9), - Felt::new(7), - Felt::new(6), - Felt::new(22), - Felt::new(21), - Felt::new(8), - Felt::new(7), - Felt::new(23), - Felt::new(8), - ], - [ - Felt::new(8), - Felt::new(26), - Felt::new(13), - Felt::new(10), - Felt::new(9), - Felt::new(7), - Felt::new(6), - Felt::new(22), - Felt::new(21), - Felt::new(8), - Felt::new(7), - Felt::new(23), - ], - [ - Felt::new(23), - Felt::new(8), - Felt::new(26), - Felt::new(13), - Felt::new(10), - Felt::new(9), - Felt::new(7), - Felt::new(6), - Felt::new(22), - Felt::new(21), - Felt::new(8), - Felt::new(7), - ], -]; - -// ROUND CONSTANTS -// ================================================================================================ - -/// Rescue round constants; -/// computed as in [specifications](https://github.com/ASDiscreteMathematics/rpo) -/// -/// The constants are broken up into two arrays ARK1 and ARK2; ARK1 contains the constants for the -/// first half of RPO round, and ARK2 contains constants for the second half of RPO round. -const ARK1: [[Felt; STATE_WIDTH]; NUM_ROUNDS] = [ - [ - Felt::new(5789762306288267392), - Felt::new(6522564764413701783), - Felt::new(17809893479458208203), - Felt::new(107145243989736508), - Felt::new(6388978042437517382), - Felt::new(15844067734406016715), - Felt::new(9975000513555218239), - Felt::new(3344984123768313364), - Felt::new(9959189626657347191), - Felt::new(12960773468763563665), - Felt::new(9602914297752488475), - Felt::new(16657542370200465908), - ], - [ - Felt::new(12987190162843096997), - Felt::new(653957632802705281), - Felt::new(4441654670647621225), - Felt::new(4038207883745915761), - Felt::new(5613464648874830118), - Felt::new(13222989726778338773), - Felt::new(3037761201230264149), - Felt::new(16683759727265180203), - Felt::new(8337364536491240715), - Felt::new(3227397518293416448), - Felt::new(8110510111539674682), - Felt::new(2872078294163232137), - ], - [ - Felt::new(18072785500942327487), - Felt::new(6200974112677013481), - Felt::new(17682092219085884187), - Felt::new(10599526828986756440), - Felt::new(975003873302957338), - Felt::new(8264241093196931281), - Felt::new(10065763900435475170), - Felt::new(2181131744534710197), - Felt::new(6317303992309418647), - Felt::new(1401440938888741532), - Felt::new(8884468225181997494), - Felt::new(13066900325715521532), - ], - [ - Felt::new(5674685213610121970), - Felt::new(5759084860419474071), - Felt::new(13943282657648897737), - Felt::new(1352748651966375394), - Felt::new(17110913224029905221), - Felt::new(1003883795902368422), - Felt::new(4141870621881018291), - Felt::new(8121410972417424656), - Felt::new(14300518605864919529), - Felt::new(13712227150607670181), - Felt::new(17021852944633065291), - Felt::new(6252096473787587650), - ], - [ - Felt::new(4887609836208846458), - Felt::new(3027115137917284492), - Felt::new(9595098600469470675), - Felt::new(10528569829048484079), - Felt::new(7864689113198939815), - Felt::new(17533723827845969040), - Felt::new(5781638039037710951), - Felt::new(17024078752430719006), - Felt::new(109659393484013511), - Felt::new(7158933660534805869), - Felt::new(2955076958026921730), - Felt::new(7433723648458773977), - ], - [ - Felt::new(16308865189192447297), - Felt::new(11977192855656444890), - Felt::new(12532242556065780287), - Felt::new(14594890931430968898), - Felt::new(7291784239689209784), - Felt::new(5514718540551361949), - Felt::new(10025733853830934803), - Felt::new(7293794580341021693), - Felt::new(6728552937464861756), - Felt::new(6332385040983343262), - Felt::new(13277683694236792804), - Felt::new(2600778905124452676), - ], - [ - Felt::new(7123075680859040534), - Felt::new(1034205548717903090), - Felt::new(7717824418247931797), - Felt::new(3019070937878604058), - Felt::new(11403792746066867460), - Felt::new(10280580802233112374), - Felt::new(337153209462421218), - Felt::new(13333398568519923717), - Felt::new(3596153696935337464), - Felt::new(8104208463525993784), - Felt::new(14345062289456085693), - Felt::new(17036731477169661256), - ], -]; - -const ARK2: [[Felt; STATE_WIDTH]; NUM_ROUNDS] = [ - [ - Felt::new(6077062762357204287), - Felt::new(15277620170502011191), - Felt::new(5358738125714196705), - Felt::new(14233283787297595718), - Felt::new(13792579614346651365), - Felt::new(11614812331536767105), - Felt::new(14871063686742261166), - Felt::new(10148237148793043499), - Felt::new(4457428952329675767), - Felt::new(15590786458219172475), - Felt::new(10063319113072092615), - Felt::new(14200078843431360086), - ], - [ - Felt::new(6202948458916099932), - Felt::new(17690140365333231091), - Felt::new(3595001575307484651), - Felt::new(373995945117666487), - Felt::new(1235734395091296013), - Felt::new(14172757457833931602), - Felt::new(707573103686350224), - Felt::new(15453217512188187135), - Felt::new(219777875004506018), - Felt::new(17876696346199469008), - Felt::new(17731621626449383378), - Felt::new(2897136237748376248), - ], - [ - Felt::new(8023374565629191455), - Felt::new(15013690343205953430), - Felt::new(4485500052507912973), - Felt::new(12489737547229155153), - Felt::new(9500452585969030576), - Felt::new(2054001340201038870), - Felt::new(12420704059284934186), - Felt::new(355990932618543755), - Felt::new(9071225051243523860), - Felt::new(12766199826003448536), - Felt::new(9045979173463556963), - Felt::new(12934431667190679898), - ], - [ - Felt::new(18389244934624494276), - Felt::new(16731736864863925227), - Felt::new(4440209734760478192), - Felt::new(17208448209698888938), - Felt::new(8739495587021565984), - Felt::new(17000774922218161967), - Felt::new(13533282547195532087), - Felt::new(525402848358706231), - Felt::new(16987541523062161972), - Felt::new(5466806524462797102), - Felt::new(14512769585918244983), - Felt::new(10973956031244051118), - ], - [ - Felt::new(6982293561042362913), - Felt::new(14065426295947720331), - Felt::new(16451845770444974180), - Felt::new(7139138592091306727), - Felt::new(9012006439959783127), - Felt::new(14619614108529063361), - Felt::new(1394813199588124371), - Felt::new(4635111139507788575), - Felt::new(16217473952264203365), - Felt::new(10782018226466330683), - Felt::new(6844229992533662050), - Felt::new(7446486531695178711), - ], - [ - Felt::new(3736792340494631448), - Felt::new(577852220195055341), - Felt::new(6689998335515779805), - Felt::new(13886063479078013492), - Felt::new(14358505101923202168), - Felt::new(7744142531772274164), - Felt::new(16135070735728404443), - Felt::new(12290902521256031137), - Felt::new(12059913662657709804), - Felt::new(16456018495793751911), - Felt::new(4571485474751953524), - Felt::new(17200392109565783176), - ], - [ - Felt::new(17130398059294018733), - Felt::new(519782857322261988), - Felt::new(9625384390925085478), - Felt::new(1664893052631119222), - Felt::new(7629576092524553570), - Felt::new(3485239601103661425), - Felt::new(9755891797164033838), - Felt::new(15218148195153269027), - Felt::new(16460604813734957368), - Felt::new(9643968136937729763), - Felt::new(3611348709641382851), - Felt::new(18256379591337759196), - ], -]; diff --git a/src/lib.rs b/src/lib.rs index 0eca3e3..26fb343 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -13,7 +13,10 @@ pub mod utils; // RE-EXPORTS // ================================================================================================ -pub use winter_math::{fields::f64::BaseElement as Felt, FieldElement, StarkField}; +pub use winter_math::{ + fields::{f64::BaseElement as Felt, CubeExtension, QuadExtension}, + FieldElement, StarkField, +}; // TYPE ALIASES // ================================================================================================ diff --git a/src/main.rs b/src/main.rs index e9f8299..31264d8 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,9 +1,8 @@ use clap::Parser; use miden_crypto::{ - hash::rpo::RpoDigest, - merkle::MerkleError, + hash::rpo::{Rpo256, RpoDigest}, + merkle::{MerkleError, TieredSmt}, Felt, Word, ONE, - {hash::rpo::Rpo256, merkle::TieredSmt}, }; use rand_utils::rand_value; use std::time::Instant; diff --git a/src/merkle/mmr/full.rs b/src/merkle/mmr/full.rs index 6b397dc..2549ddb 100644 --- a/src/merkle/mmr/full.rs +++ b/src/merkle/mmr/full.rs @@ -9,11 +9,12 @@ //! least number of leaves. The structure preserves the invariant that each tree has different //! depths, i.e. as part of adding adding a new element to the forest the trees with same depth are //! merged, creating a new tree with depth d+1, this process is continued until the property is -//! restabilished. +//! reestablished. use super::{ - super::{InnerNodeInfo, MerklePath, RpoDigest, Vec}, + super::{InnerNodeInfo, MerklePath, Vec}, bit::TrueBitPositionIterator, leaf_to_corresponding_tree, nodes_in_forest, MmrDelta, MmrError, MmrPeaks, MmrProof, Rpo256, + RpoDigest, }; // MMR diff --git a/src/merkle/mmr/mod.rs b/src/merkle/mmr/mod.rs index 4f810df..f92896a 100644 --- a/src/merkle/mmr/mod.rs +++ b/src/merkle/mmr/mod.rs @@ -10,7 +10,7 @@ mod proof; #[cfg(test)] mod tests; -use super::{Felt, Rpo256, Word}; +use super::{Felt, Rpo256, RpoDigest, Word}; // REEXPORTS // ================================================================================================ diff --git a/src/merkle/mmr/partial.rs b/src/merkle/mmr/partial.rs index d90cdf3..be3e75d 100644 --- a/src/merkle/mmr/partial.rs +++ b/src/merkle/mmr/partial.rs @@ -1,5 +1,5 @@ +use super::{MmrDelta, MmrProof, Rpo256, RpoDigest}; use crate::{ - hash::rpo::{Rpo256, RpoDigest}, merkle::{ mmr::{leaf_to_corresponding_tree, nodes_in_forest}, InOrderIndex, MerklePath, MmrError, MmrPeaks, @@ -7,8 +7,6 @@ use crate::{ utils::collections::{BTreeMap, Vec}, }; -use super::{MmrDelta, MmrProof}; - /// Partially materialized [Mmr], used to efficiently store and update the authentication paths for /// a subset of the elements in a full [Mmr]. /// diff --git a/src/merkle/mmr/tests.rs b/src/merkle/mmr/tests.rs index d829c96..aee7e4a 100644 --- a/src/merkle/mmr/tests.rs +++ b/src/merkle/mmr/tests.rs @@ -1,11 +1,10 @@ use super::{ - super::{InnerNodeInfo, Vec}, + super::{InnerNodeInfo, Rpo256, RpoDigest, Vec}, bit::TrueBitPositionIterator, full::high_bitmask, - leaf_to_corresponding_tree, nodes_in_forest, Mmr, MmrPeaks, PartialMmr, Rpo256, + leaf_to_corresponding_tree, nodes_in_forest, Mmr, MmrPeaks, PartialMmr, }; use crate::{ - hash::rpo::RpoDigest, merkle::{int_to_node, InOrderIndex, MerklePath, MerkleTree, MmrProof, NodeIndex}, Felt, Word, }; diff --git a/src/merkle/node.rs b/src/merkle/node.rs index 4305e7f..bf18d38 100644 --- a/src/merkle/node.rs +++ b/src/merkle/node.rs @@ -1,4 +1,4 @@ -use crate::hash::rpo::RpoDigest; +use super::RpoDigest; /// Representation of a node with two children used for iterating over containers. #[derive(Debug, Clone, PartialEq, Eq)] diff --git a/src/merkle/store/tests.rs b/src/merkle/store/tests.rs index e5dbb19..8553e25 100644 --- a/src/merkle/store/tests.rs +++ b/src/merkle/store/tests.rs @@ -1,9 +1,8 @@ use super::{ DefaultMerkleStore as MerkleStore, EmptySubtreeRoots, MerkleError, MerklePath, NodeIndex, - PartialMerkleTree, RecordingMerkleStore, RpoDigest, + PartialMerkleTree, RecordingMerkleStore, Rpo256, RpoDigest, }; use crate::{ - hash::rpo::Rpo256, merkle::{digests_to_words, int_to_leaf, int_to_node, MerkleTree, SimpleSmt}, Felt, Word, ONE, WORD_SIZE, ZERO, };