From 15d4581921f4693bdd49d7b3ed5464fbbfdcf4a0 Mon Sep 17 00:00:00 2001 From: thomaslavaur Date: Wed, 17 Jul 2024 11:11:26 +0200 Subject: [PATCH 1/9] Add circomlib dependency --- .gitmodules | 3 +++ Proof of Leadership/circomlib | 1 + 2 files changed, 4 insertions(+) create mode 100644 .gitmodules create mode 160000 Proof of Leadership/circomlib diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..72517cd --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "Proof of Leadership/circomlib"] + path = Proof of Leadership/circomlib + url = https://github.com/iden3/circomlib.git diff --git a/Proof of Leadership/circomlib b/Proof of Leadership/circomlib new file mode 160000 index 0000000..cff5ab6 --- /dev/null +++ b/Proof of Leadership/circomlib @@ -0,0 +1 @@ +Subproject commit cff5ab6288b55ef23602221694a6a38a0239dcc0 From d6a33d7b4bf17a54ba6c65d834eac98dcdeee10e Mon Sep 17 00:00:00 2001 From: thomaslavaur Date: Wed, 17 Jul 2024 11:12:55 +0200 Subject: [PATCH 2/9] Add circuits --- .../anemoi/Anemoi 2-to-1.ipynb | 1025 +++++++++++++++++ .../anemoi/anemoi_16_to_1_Jubjub.circom | 184 +++ .../anemoi/anemoi_2_to_1_Jubjub.circom | 122 ++ .../anemoi/anemoi_4_to_1_Jubjub.circom | 179 +++ .../anemoi_Jubjub_16_to_1_constants.circom | 174 +++ .../anemoi_Jubjub_2_to_1_constants.circom | 56 + .../anemoi_Jubjub_4_to_1_constants.circom | 70 ++ .../anemoi/script_setup_prover.sh | 49 + Proof of Leadership/leadership_anemoi.circom | 301 +++++ .../leadership_anemoi_sha.circom | 317 +++++ .../leadership_poseidon.circom | 301 +++++ .../leadership_poseidon_sha.circom | 318 +++++ Proof of Leadership/leadership_sha256.circom | 683 +++++++++++ .../poseidon/poseidon_16_to_1_Jubjub.circom | 488 ++++++++ .../poseidon/poseidon_2_to_1_Jubjub.circom | 147 +++ .../poseidon/poseidon_4_to_1_Jubjub.circom | 188 +++ .../poseidon_Jubjub_16_to_1_constants.circom | 193 ++++ .../poseidon_Jubjub_2_to_1_constants.circom | 80 ++ .../poseidon_Jubjub_4_to_1_constants.circom | 96 ++ 19 files changed, 4971 insertions(+) create mode 100644 Proof of Leadership/anemoi/Anemoi 2-to-1.ipynb create mode 100644 Proof of Leadership/anemoi/anemoi_16_to_1_Jubjub.circom create mode 100644 Proof of Leadership/anemoi/anemoi_2_to_1_Jubjub.circom create mode 100644 Proof of Leadership/anemoi/anemoi_4_to_1_Jubjub.circom create mode 100644 Proof of Leadership/anemoi/anemoi_Jubjub_16_to_1_constants.circom create mode 100644 Proof of Leadership/anemoi/anemoi_Jubjub_2_to_1_constants.circom create mode 100644 Proof of Leadership/anemoi/anemoi_Jubjub_4_to_1_constants.circom create mode 100644 Proof of Leadership/anemoi/script_setup_prover.sh create mode 100644 Proof of Leadership/leadership_anemoi.circom create mode 100644 Proof of Leadership/leadership_anemoi_sha.circom create mode 100644 Proof of Leadership/leadership_poseidon.circom create mode 100644 Proof of Leadership/leadership_poseidon_sha.circom create mode 100644 Proof of Leadership/leadership_sha256.circom create mode 100644 Proof of Leadership/poseidon/poseidon_16_to_1_Jubjub.circom create mode 100644 Proof of Leadership/poseidon/poseidon_2_to_1_Jubjub.circom create mode 100644 Proof of Leadership/poseidon/poseidon_4_to_1_Jubjub.circom create mode 100644 Proof of Leadership/poseidon/poseidon_Jubjub_16_to_1_constants.circom create mode 100644 Proof of Leadership/poseidon/poseidon_Jubjub_2_to_1_constants.circom create mode 100644 Proof of Leadership/poseidon/poseidon_Jubjub_4_to_1_constants.circom diff --git a/Proof of Leadership/anemoi/Anemoi 2-to-1.ipynb b/Proof of Leadership/anemoi/Anemoi 2-to-1.ipynb new file mode 100644 index 0000000..1cdbc3a --- /dev/null +++ b/Proof of Leadership/anemoi/Anemoi 2-to-1.ipynb @@ -0,0 +1,1025 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": 1, + "id": "50885b34", + "metadata": {}, + "outputs": [], + "source": [ + "# BLS12-381 Base field\n", + "BLS12_381_BASEFIELD = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab\n", + "# BLS12-381 Scalar field\n", + "BLS12_381_SCALARFIELD = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001\n", + "\n", + "# BLS12-377 Base field = BW6_761 Scalar field\n", + "BLS12_377_BASEFIELD = 0x1ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001\n", + "# BLS12-377 Scalar field = Ed_on_bls_12_377 Base field\n", + "BLS12_377_SCALARFIELD = 0x12ab655e9a2ca55660b44d1e5c37b00159aa76fed00000010a11800000000001\n", + "\n", + "# BN-254 Base field\n", + "BN_254_BASEFIELD = 0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47\n", + "# BN-254 Scalar field\n", + "BN_254_SCALARFIELD = 0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001\n", + "\n", + "# Pallas Base field = Vesta Scalar field\n", + "PALLAS_BASEFIELD = 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001\n", + "\n", + "# Vesta Base field = Pallas Scalar field\n", + "VESTA_BASEFIELD = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001\n", + "\n", + "# Small Goldilocks field\n", + "GOLDILOCKS_64_FIELD = 0xffffffff00000001" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "23180928", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "code", + "execution_count": 2, + "id": "c309f191", + "metadata": {}, + "outputs": [], + "source": [ + "from sage.all import *\n", + "import hashlib\n", + "import itertools\n", + "\n", + "\n", + "COST_ALPHA = {\n", + " 3 : 2, 5 : 3, 7 : 4, 9 : 4,\n", + " 11 : 5, 13 : 5, 15 : 5, 17 : 5,\n", + " 19 : 6, 21 : 6, 23 : 6, 25 : 6,\n", + " 27 : 6, 29 : 7, 31 : 7, 33 : 6,\n", + " 35 : 7, 37 : 7, 39 : 7, 41 : 7,\n", + " 43 : 7, 45 : 7, 47 : 8, 49 : 7,\n", + " 51 : 7, 53 : 8, 55 : 8, 57 : 8,\n", + " 59 : 8, 61 : 8, 63 : 8, 65 : 7,\n", + " 67 : 8, 69 : 8, 71 : 9, 73 : 8,\n", + " 75 : 8, 77 : 8, 79 : 9, 81 : 8,\n", + " 83 : 8, 85 : 8, 87 : 9, 89 : 9,\n", + " 91 : 9, 93 : 9, 95 : 9, 97 : 8,\n", + " 99 : 8, 101 : 9, 103 : 9, 105 : 9,\n", + " 107 : 9, 109 : 9, 111 : 9, 113 : 9,\n", + " 115 : 9, 117 : 9, 119 : 9, 121 : 9,\n", + " 123 : 9, 125 : 9, 127 : 10,\n", + "}\n", + "\n", + "ALPHA_BY_COST = {\n", + " c : [x for x in range(3, 128, 2) if COST_ALPHA[x] == c]\n", + " for c in range(2, 11)\n", + "}\n", + "\n", + "PI_0 = 1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679\n", + "PI_1 = 8214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196\n", + "\n", + "def get_prime(N):\n", + " result = (1 << N) - 1\n", + " while not is_prime(result):\n", + " result -= 2\n", + " return result\n", + "\n", + "\n", + "def get_n_rounds(s, l, alpha):\n", + " r = 0\n", + " complexity = 0\n", + " kappa = {3:1, 5:2, 7:4, 9:7, 11:9}\n", + " assert alpha in kappa\n", + " while complexity < 2**s:\n", + " r += 1\n", + " complexity = binomial(\n", + " 4*l*r + kappa[alpha],\n", + " 2*l*r\n", + " )**2\n", + " r += 2 # considering the second model\n", + " r += min(5,l+1) # security margin\n", + " \n", + " return max(8, r)\n", + "\n", + "\n", + "# Linear layer generation\n", + "\n", + "def is_mds(m):\n", + " # Uses the Laplace expansion of the determinant to calculate the (m+1)x(m+1) minors in terms of the mxm minors.\n", + " # Taken from https://github.com/mir-protocol/hash-constants/blob/master/mds_search.sage.\n", + "\n", + " # 1-minors are just the elements themselves\n", + " if any(any(r == 0 for r in row) for row in m):\n", + " return False\n", + "\n", + " N = m.nrows()\n", + " assert m.is_square() and N >= 2\n", + "\n", + " det_cache = m\n", + "\n", + " # Calculate all the nxn minors of m:\n", + " for n in range(2, N+1):\n", + " new_det_cache = dict()\n", + " for rows in itertools.combinations(range(N), n):\n", + " for cols in itertools.combinations(range(N), n):\n", + " i, *rs = rows\n", + "\n", + " # Laplace expansion along row i\n", + " det = 0\n", + " for j in range(n):\n", + " # pick out c = column j; the remaining columns are in cs\n", + " c = cols[j]\n", + " cs = cols[:j] + cols[j+1:]\n", + "\n", + " # Look up the determinant from the previous iteration\n", + " # and multiply by -1 if j is odd\n", + " cofactor = det_cache[(*rs, *cs)]\n", + " if j % 2 == 1:\n", + " cofactor = -cofactor\n", + "\n", + " # update the determinant with the j-th term\n", + " det += m[i, c] * cofactor\n", + "\n", + " if det == 0:\n", + " return False\n", + " new_det_cache[(*rows, *cols)] = det\n", + " det_cache = new_det_cache\n", + " return True\n", + "\n", + "def M_2(x_input, b):\n", + " x = x_input[:]\n", + " x[0] += b*x[1]\n", + " x[1] += b*x[0]\n", + " return x\n", + "\n", + "def M_3(x_input, b):\n", + " x = x_input[:]\n", + " t = x[0] + b*x[2]\n", + " x[2] += x[1]\n", + " x[2] += b*x[0]\n", + " x[0] = t + x[2]\n", + " x[1] += t\n", + " return x\n", + "\n", + "\n", + "def M_4(x_input, b):\n", + " x = x_input[:]\n", + " x[0] += x[1]\n", + " x[2] += x[3]\n", + " x[3] += b*x[0]\n", + " x[1] = b*(x[1] + x[2])\n", + " x[0] += x[1]\n", + " x[2] += b*x[3]\n", + " x[1] += x[2]\n", + " x[3] += x[0]\n", + " return x\n", + "\n", + "def lfsr(x_input, b):\n", + " x = x_input[:]\n", + " l = len(x)\n", + " for r in range(0, l):\n", + " t = sum(b**(2**i) * x[i] for i in range(0, l))\n", + " x = x[1:] + [t]\n", + " return x\n", + "\n", + "def circulant_mds_matrix(field, l, coeff_upper_limit=None):\n", + " if coeff_upper_limit == None:\n", + " coeff_upper_limit = l+1\n", + " assert(coeff_upper_limit > l)\n", + " for v in itertools.combinations_with_replacement(range(1,coeff_upper_limit), l):\n", + " mat = matrix.circulant(list(v)).change_ring(field)\n", + " if is_mds(mat):\n", + " return(mat)\n", + " # In some cases, the method won't return any valid matrix,\n", + " # hence the need to increase the limit further.\n", + " return circulant_mds_matrix(field, l, coeff_upper_limit+1)\n", + "\n", + "def get_mds(field, l):\n", + " if l == 1:\n", + " return identity_matrix(field, 1)\n", + " if l <= 4: # low addition case\n", + " a = field.multiplicative_generator()\n", + " b = field.one()\n", + " t = 0\n", + " while True:\n", + " # we construct the matrix\n", + " mat = []\n", + " b = b*a\n", + " t += 1\n", + " for i in range(0, l):\n", + " x_i = [field.one() * (j == i) for j in range(0, l)]\n", + " if l == 2:\n", + " mat.append(M_2(x_i, b))\n", + " elif l == 3:\n", + " mat.append(M_3(x_i, b))\n", + " elif l == 4:\n", + " mat.append(M_4(x_i, b))\n", + " mat = Matrix(field, l, l, mat).transpose()\n", + " if is_mds(mat):\n", + " return mat\n", + " else: # circulant matrix case\n", + " return circulant_mds_matrix(field, l)\n", + "\n", + "# AnemoiPermutation class\n", + "\n", + "class AnemoiPermutation:\n", + " def __init__(self,\n", + " q=None,\n", + " alpha=None,\n", + " mat=None,\n", + " n_rounds=None,\n", + " n_cols=1,\n", + " security_level=128):\n", + " if q == None:\n", + " raise Exception(\"The characteristic of the field must be specified!\")\n", + " self.q = q\n", + " self.prime_field = is_prime(q) # if true then we work over a\n", + " # prime field with\n", + " # characteristic just under\n", + " # 2**N, otherwise the\n", + " # characteristic is 2**self\n", + " self.n_cols = n_cols # the number of parallel S-boxes in each round\n", + " self.security_level = security_level\n", + "\n", + " # initializing the other variables in the state:\n", + " # - q is the characteristic of the field\n", + " # - g is a generator of the multiplicative subgroup\n", + " # - alpha is the main exponent (in the center of the Flystel)\n", + " # - beta is the coefficient in the quadratic subfunction\n", + " # - gamma is the constant in the second quadratic subfunction\n", + " # - QUAD is the secondary (quadratic) exponent\n", + " # - from_field is a function mapping field elements to integers\n", + " # - to_field is a function mapping integers to field elements\n", + " self.F = GF(self.q)\n", + " if self.prime_field:\n", + " if alpha != None:\n", + " if gcd(alpha, self.q-1) != 1:\n", + " raise Exception(\"alpha should be co-prime with the characteristic!\")\n", + " else:\n", + " self.alpha = alpha\n", + " else:\n", + " self.alpha = 3\n", + " while gcd(self.alpha, self.q-1) != 1:\n", + " self.alpha += 1\n", + " self.QUAD = 2\n", + " self.to_field = lambda x : self.F(x)\n", + " self.from_field = lambda x : Integer(x)\n", + " else:\n", + " self.alpha = 3\n", + " self.QUAD = 3\n", + " self.to_field = lambda x : self.F.fetch_int(x)\n", + " self.from_field = lambda x : x.integer_representation()\n", + " self.g = self.F.multiplicative_generator()\n", + " self.beta = self.g\n", + " self.delta = self.g**(-1)\n", + " self.alpha_inv = inverse_mod(self.alpha, self.q-1)\n", + "\n", + " # total number of rounds\n", + " if n_rounds != None:\n", + " self.n_rounds = n_rounds\n", + " else:\n", + " self.n_rounds = get_n_rounds(self.security_level,\n", + " self.n_cols,\n", + " self.alpha)\n", + "\n", + " # Choosing constants: self.C and self.D are built from the\n", + " # digits of pi using an open butterfly\n", + " self.C = []\n", + " self.D = []\n", + " pi_F_0 = self.to_field(PI_0 % self.q)\n", + " pi_F_1 = self.to_field(PI_1 % self.q)\n", + " for r in range(0, self.n_rounds):\n", + " pi_0_r = pi_F_0**r\n", + " self.C.append([])\n", + " self.D.append([])\n", + " for i in range(0, self.n_cols):\n", + " pi_1_i = pi_F_1**i\n", + " pow_alpha = (pi_0_r + pi_1_i)**self.alpha\n", + " self.C[r].append(self.g * (pi_0_r)**2 + pow_alpha)\n", + " self.D[r].append(self.g * (pi_1_i)**2 + pow_alpha + self.delta)\n", + " self.mat = get_mds(self.F, self.n_cols)\n", + "\n", + "\n", + " def __str__(self):\n", + " result = \"Anemoi instance over F_{:d} ({}), n_rounds={:d}, n_cols={:d}, s={:d}\".format(\n", + " self.q,\n", + " \"odd prime field\" if self.prime_field else \"characteristic 2\",\n", + " self.n_rounds,\n", + " self.n_cols,\n", + " self.security_level\n", + " )\n", + " result += \"\\nalpha={}, beta={}, \\ndelta={}\\nM_x=\\n{}\\ninv_alpha={}\\n\".format(\n", + " self.alpha,\n", + " self.beta,\n", + " self.delta,\n", + " self.mat,\n", + " self.alpha_inv\n", + " )\n", + " result += \"C={}\\nD={}\".format(\n", + " [[self.from_field(x) for x in self.C[r]] for r in range(0, self.n_rounds)],\n", + " [[self.from_field(x) for x in self.D[r]] for r in range(0, self.n_rounds)],\n", + " )\n", + " return result\n", + "\n", + "\n", + " # !SECTION! Sub-components\n", + "\n", + " def evaluate_sbox(self, _x, _y):\n", + " x, y = _x, _y\n", + " x -= self.beta*y**self.QUAD\n", + " y -= x**self.alpha_inv\n", + " x += self.beta*y**self.QUAD + self.delta\n", + " return x, y\n", + "\n", + " def linear_layer(self, _x, _y):\n", + " x, y = _x[:], _y[:]\n", + " x = self.mat*vector(x)\n", + " y = self.mat*vector(y[1:] + [y[0]])\n", + "\n", + " # Pseudo-Hadamard transform on each (x,y) pair\n", + " y += x\n", + " x += y\n", + " return list(x), list(y)\n", + "\n", + "\n", + " # !SECTION! Evaluation\n", + "\n", + " def eval_with_intermediate_values(self, _x, _y):\n", + " x, y = _x[:], _y[:]\n", + " result = [[x[:], y[:]]]\n", + " for r in range(0, self.n_rounds):\n", + " for i in range(0, self.n_cols):\n", + " x[i] += self.C[r][i]\n", + " y[i] += self.D[r][i]\n", + " x, y = self.linear_layer(x, y)\n", + " for i in range(0, self.n_cols):\n", + " x[i], y[i] = self.evaluate_sbox(x[i], y[i])\n", + " result.append([x[:], y[:]])\n", + " # final call to the linear layer\n", + " x, y = self.linear_layer(x, y)\n", + " result.append([x[:], y[:]])\n", + " return result\n", + "\n", + "\n", + " def input_size(self):\n", + " return 2*self.n_cols\n", + "\n", + "\n", + " def __call__(self, _x):\n", + " if len(_x) != self.input_size():\n", + " raise Exception(\"wrong input size!\")\n", + " else:\n", + " x, y = _x[:self.n_cols], _x[self.n_cols:]\n", + " u, v = self.eval_with_intermediate_values(x, y)[-1]\n", + " return u + v # concatenation, not a sum\n", + "\n", + "\n", + " # !SECTION! Writing full system of equations\n", + "\n", + " def get_polynomial_variables(self):\n", + " x_vars = []\n", + " y_vars = []\n", + " all_vars = []\n", + " for r in range(0, self.n_rounds+1):\n", + " x_vars.append([\"X{:02d}{:02d}\".format(r, i) for i in range(0, self.n_cols)])\n", + " y_vars.append([\"Y{:02d}{:02d}\".format(r, i) for i in range(0, self.n_cols)])\n", + " all_vars += x_vars[-1]\n", + " all_vars += y_vars[-1]\n", + " pol_ring = PolynomialRing(self.F, (self.n_rounds+1)*2*self.n_cols, all_vars)\n", + " pol_gens = pol_ring.gens()\n", + " result = {\"X\" : [], \"Y\" : []}\n", + " for r in range(0, self.n_rounds+1):\n", + " result[\"X\"].append([])\n", + " result[\"Y\"].append([])\n", + " for i in range(0, self.n_cols):\n", + " result[\"X\"][r].append(pol_gens[self.n_cols*2*r + i])\n", + " result[\"Y\"][r].append(pol_gens[self.n_cols*2*r + i + self.n_cols])\n", + " return result\n", + "\n", + "\n", + " def verification_polynomials(self, pol_vars):\n", + " equations = []\n", + " for r in range(0, self.n_rounds):\n", + " # the outputs of the open flystel are the state variables x, y at round r+1\n", + " u = pol_vars[\"X\"][r+1]\n", + " v = pol_vars[\"Y\"][r+1]\n", + " # the inputs of the open flystel are the state variables\n", + " # x, y at round r after undergoing the constant addition\n", + " # and the linear layer\n", + " x, y = pol_vars[\"X\"][r], pol_vars[\"Y\"][r]\n", + " x = [x[i] + self.C[r][i] for i in range(0, self.n_cols)]\n", + " y = [y[i] + self.D[r][i] for i in range(0, self.n_cols)]\n", + " x, y = self.linear_layer(x, y)\n", + " for i in range(0, self.n_cols):\n", + " equations.append(\n", + " (y[i]-v[i])**self.alpha + self.beta*y[i]**self.QUAD - x[i]\n", + " )\n", + " equations.append(\n", + " (y[i]-v[i])**self.alpha + self.beta*v[i]**self.QUAD + self.delta - u[i]\n", + " )\n", + " return equations\n", + "\n", + "\n", + " def print_verification_polynomials(self):\n", + " p_vars = self.get_polynomial_variables()\n", + " eqs = self.verification_polynomials(p_vars)\n", + " variables_string = \"\"\n", + " for r in range(0, self.n_rounds+1):\n", + " variables_string += str(p_vars[\"X\"][r])[1:-1] + \",\" + str(p_vars[\"Y\"][r])[1:-1] + \",\"\n", + " print(variables_string[:-1].replace(\" \", \"\"))\n", + " print(self.q)\n", + " for f in eqs:\n", + " print(f)\n", + "\n", + "\n", + "\n", + "# !SECTION! Modes of operation\n", + "\n", + "\n", + "def jive(P, b, _x):\n", + " if b < 2:\n", + " raise Exception(\"b must be at least equal to 2\")\n", + " if P.input_size() % b != 0:\n", + " raise Exception(\"b must divide the input size!\")\n", + " c = P.input_size()/b # length of the compressed output\n", + " # Output size check: we allow the output size to be 3 bits shorter than\n", + " # the theoretical target, as commonly used finite fields usually have a\n", + " # characteristic size slightly under 2**256.\n", + " if c * P.F.cardinality().nbits() < 2 * P.security_level - 3:\n", + " raise Exception(f\"digest size is too small for the targeted security level!\")\n", + " x = _x[:]\n", + " u = P(x)\n", + " compressed = []\n", + " for i in range(0, c):\n", + " compressed.append(sum(x[i+c*j] + u[i+c*j]\n", + " for j in range(0, b)))\n", + " return compressed\n", + "\n", + "\n", + "def sponge_hash(P, r, h, _x):\n", + " x = _x[:]\n", + " if P.input_size() <= r:\n", + " raise Exception(\"rate must be strictly smaller than state size!\")\n", + " # Digest size and capacity check: we allow the digest size to be 3 bits\n", + " # shorter than the theoretical target, as commonly used finite fields\n", + " # usually have a characteristic size slightly under 2**256.\n", + " if h * P.F.cardinality().nbits() < 2 * P.security_level - 3:\n", + " raise Exception(f\"digest size is too small for the targeted security level!\")\n", + " capacity = P.input_size() - r\n", + " if capacity * P.F.cardinality().nbits() < 2 * P.security_level - 3:\n", + " raise Exception(f\"capacity is too small for the targeted security level!\")\n", + "\n", + " # message padding (and domain separator computation)\n", + " if len(x) % r == 0 and len(x) != 0:\n", + " sigma = 1\n", + " else:\n", + " sigma = 0\n", + " x += [1]\n", + " # if x is still not long enough, append 0s\n", + " if len(x) % r != 0:\n", + " x += (r - (len(x) % r))*[0]\n", + " padded_x = [[x[pos+i] for i in range(0, r)]\n", + " for pos in range(0, len(x), r)]\n", + " # absorption phase\n", + " internal_state = [0] * P.input_size()\n", + " for pos in range(0, len(padded_x)):\n", + " for i in range(0, r):\n", + " internal_state[i] += padded_x[pos][i]\n", + " internal_state = P(internal_state)\n", + " if pos == len(padded_x)-1:\n", + " # adding sigma if it is the last block\n", + " internal_state[-1] += sigma\n", + " # squeezing\n", + " digest = []\n", + " pos = 0\n", + " while len(digest) < h:\n", + " digest.append(internal_state[pos])\n", + " pos += 1\n", + " if pos == r:\n", + " pos = 0\n", + " internal_state = P(internal_state)\n", + " return digest\n", + "\n", + "\n", + "# !SECTION! Tests\n", + "\n", + "def check_polynomial_verification(n_tests=10, q=2**63, alpha=3, n_rounds=3, n_cols=1):\n", + " A = AnemoiPermutation(q=q, alpha=alpha, n_rounds=n_rounds, n_cols=n_cols)\n", + " # formal polynomial variables and equations\n", + " p_vars = A.get_polynomial_variables()\n", + " eqs = A.verification_polynomials(p_vars)\n", + " A.print_verification_polynomials()\n", + " # for n_tests random inputs, we check that the equations are\n", + " # coherent with the actual intermediate values\n", + " print(\"\\n ======== Verification:\")\n", + " print(A)\n", + " print(\"{} equations in {} variables.\".format(\n", + " len(eqs),\n", + " (A.n_rounds+1) * 2 * A.n_cols,\n", + " ))\n", + " for t in range(0, n_tests):\n", + " # generate random input\n", + " x = [A.to_field(randint(0, A.q - 1))\n", + " for i in range(0, A.n_cols)]\n", + " y = [A.to_field(randint(0, A.q - 1))\n", + " for i in range(0, A.n_cols)]\n", + " # generate intermediate values, formal polynomial variables,\n", + " # and equations\n", + " iv = A.eval_with_intermediate_values(x, y)\n", + " p_vars = A.get_polynomial_variables()\n", + " eqs = A.verification_polynomials(p_vars)\n", + " # obtain variable assignment from the actual evaluation\n", + " assignment = {}\n", + " for r in range(0, A.n_rounds+1):\n", + " for i in range(0, A.n_cols):\n", + " assignment[p_vars[\"X\"][r][i]] = iv[r][0][i]\n", + " assignment[p_vars[\"Y\"][r][i]] = iv[r][1][i]\n", + " # printing the value of the equations for the actual\n", + " # intermediate states\n", + " print(\"\\n--- \", t, \"(all values except the input should be 0)\")\n", + " print(\"input: \", x, y)\n", + " for r in range(0, A.n_rounds):\n", + " polynomial_values = [eqs[r*2*A.n_cols + i].subs(assignment)\n", + " for i in range(0, 2*A.n_cols)]\n", + " print(\"round {:3d}: {}\\n {}\".format(\n", + " r,\n", + " polynomial_values[0::2],\n", + " polynomial_values[1::2]\n", + " ))\n", + "\n", + "\n", + "def test_jive(n_tests=10,\n", + " q=2**63, alpha=3,\n", + " n_rounds=None,\n", + " n_cols=1,\n", + " b=2,\n", + " security_level=32):\n", + " A = AnemoiPermutation(q=q, alpha=alpha, n_rounds=n_rounds, n_cols=n_cols, security_level=security_level)\n", + " print(A)\n", + " for t in range(0, n_tests):\n", + " # generate random input\n", + " x = [A.to_field(randint(0, A.q - 1))\n", + " for i in range(0, A.n_cols)]\n", + " y = [A.to_field(randint(0, A.q - 1))\n", + " for i in range(0, A.n_cols)]\n", + " print(\"x = {}\\ny = {}\\nAnemoiJive_{}(x,y) = {}\".format(\n", + " x,\n", + " y,\n", + " b,\n", + " jive(A, b, x + y)\n", + " ))\n", + "\n", + "\n", + "def test_sponge(n_tests=10,\n", + " q=2**63,\n", + " alpha=3,\n", + " n_rounds=None,\n", + " n_cols=1,\n", + " b=2,\n", + " security_level=32):\n", + " A = AnemoiPermutation(q=q, alpha=alpha, n_rounds=n_rounds, n_cols=n_cols, security_level=security_level)\n", + " print(A)\n", + " for t in range(0, n_tests):\n", + " # generate random input of length t\n", + " x = [A.to_field(randint(0, A.q - 1))\n", + " for i in range(0, t)]\n", + " print(\"x = {}\\nAnemoiSponge(x) = {}\".format(\n", + " x,\n", + " sponge_hash(A, 2, 2, x)\n", + " ))\n", + "\n", + "def generate_test_vectors_jive(P, b, n):\n", + " assert n >= 4, \"The number of test vectors should be greater than 4.\"\n", + " m = hashlib.sha512(str(P).encode())\n", + " m.update(\"Jive test vectors\".encode())\n", + " m.update(f\"B={b}\".encode())\n", + " seed = Integer(m.digest().hex(), 16)\n", + "\n", + " inputs = []\n", + " outputs = []\n", + " inputs.append([P.F(0) for _ in range(P.input_size())])\n", + " inputs.append([P.F(1) for _ in range(P.input_size())])\n", + " inputs.append([P.F(0) for _ in range(P.n_cols)] + [P.F(1) for _ in range(P.n_cols)])\n", + " inputs.append([P.F(1) for _ in range(P.n_cols)] + [P.F(0) for _ in range(P.n_cols)])\n", + " for i in range(n - 4):\n", + " input = []\n", + " for _ in range(P.input_size()):\n", + " input.append(P.to_field(seed))\n", + " m.update(str(seed).encode())\n", + " seed = Integer(m.digest().hex(), 16)\n", + " inputs.append(input)\n", + " for input in inputs:\n", + " outputs.append(jive(P, b, input))\n", + "\n", + " print(\n", + " \"Test vectors for Anemoi instance over F_{:d}, n_rounds={:d}, n_cols={:d}, s={:d}\".format(\n", + " P.q,\n", + " P.n_rounds,\n", + " P.n_cols,\n", + " P.security_level)\n", + " )\n", + " return (inputs, outputs)\n", + "\n", + "\n", + "def generate_test_vectors_sponge(P, r, h, n):\n", + " assert n >= 4, \"The number of test vectors should be greater than 4.\"\n", + " m = hashlib.sha512(str(P).encode())\n", + " m.update(\"Sponge test vectors\".encode())\n", + " m.update(f\"R={r}\".encode())\n", + " m.update(f\"H={h}\".encode())\n", + " seed = Integer(m.digest().hex(), 16)\n", + "\n", + " inputs = []\n", + " outputs = []\n", + " inputs.append([P.F(0) for _ in range(P.input_size())])\n", + " inputs.append([P.F(1) for _ in range(P.input_size())])\n", + " inputs.append([P.F(0) for _ in range(P.n_cols)] + [P.F(1) for _ in range(P.n_cols)])\n", + " inputs.append([P.F(1) for _ in range(P.n_cols)] + [P.F(0) for _ in range(P.n_cols)])\n", + " for i in range(n - 4):\n", + " input = []\n", + " for _ in range(i+1):\n", + " input.append(P.to_field(seed))\n", + " m.update(str(seed).encode())\n", + " seed = Integer(m.digest().hex(), 16)\n", + " inputs.append(input)\n", + " for input in inputs:\n", + " outputs.append(sponge_hash(P, r, h, input))\n", + "\n", + " print(\n", + " \"Test vectors for Anemoi instance over F_{:d}, n_rounds={:d}, n_cols={:d}, s={:d}\".format(\n", + " P.q,\n", + " P.n_rounds,\n", + " P.n_cols,\n", + " P.security_level)\n", + " )\n", + " return (inputs, outputs)\n", + "\n", + "\n", + "def generate_test_vectors_sbox(P, n):\n", + " assert n >= 4, \"The number of test vectors should be greater than 4.\"\n", + " m = hashlib.sha512(str(P).encode())\n", + " m.update(\"S-Box test vectors\".encode())\n", + " seed = Integer(m.digest().hex(), 16)\n", + "\n", + " inputs = []\n", + " outputs = []\n", + " inputs.append([P.F(0) for _ in range(P.input_size())])\n", + " inputs.append([P.F(1) for _ in range(P.input_size())])\n", + " inputs.append([P.F(0) for _ in range(P.n_cols)] + [P.F(1) for _ in range(P.n_cols)])\n", + " inputs.append([P.F(1) for _ in range(P.n_cols)] + [P.F(0) for _ in range(P.n_cols)])\n", + "\n", + " for _ in range(n - 4):\n", + " input = []\n", + " for _ in range(P.input_size()):\n", + " input.append(P.to_field(seed))\n", + " m.update(str(seed).encode())\n", + " seed = Integer(m.digest().hex(), 16)\n", + " inputs.append(input)\n", + " for input in inputs:\n", + " x = [0 for i in range(P.n_cols)]\n", + " y = [0 for i in range(P.n_cols)]\n", + " for i in range(P.n_cols):\n", + " x[i], y[i] = P.evaluate_sbox(input[i], input[P.n_cols + i])\n", + " x.extend(y)\n", + " outputs.append(x)\n", + "\n", + " return (inputs, outputs)\n", + "\n", + "\n", + "def generate_test_vectors_mds(P, n):\n", + " assert n >= 4, \"The number of test vectors should be greater than 4.\"\n", + " m = hashlib.sha512(str(P).encode())\n", + " m.update(\"MDS test vectors\".encode())\n", + " seed = Integer(m.digest().hex(), 16)\n", + "\n", + " inputs = []\n", + " outputs = []\n", + " inputs.append([P.F(0) for _ in range(P.input_size())])\n", + " inputs.append([P.F(1) for _ in range(P.input_size())])\n", + " inputs.append([P.F(0) for _ in range(P.n_cols)] + [P.F(1) for _ in range(P.n_cols)])\n", + " inputs.append([P.F(1) for _ in range(P.n_cols)] + [P.F(0) for _ in range(P.n_cols)])\n", + " for _ in range(n - 4):\n", + " input = []\n", + " for _ in range(P.input_size()):\n", + " input.append(P.to_field(seed))\n", + " m.update(str(seed).encode())\n", + " seed = Integer(m.digest().hex(), 16)\n", + " inputs.append(input)\n", + " for input in inputs:\n", + " x,y = P.linear_layer(input[0:P.n_cols], input[P.n_cols:])\n", + " x.extend(y)\n", + " outputs.append(x)\n", + "\n", + " return (inputs, outputs)\n", + "\n", + "\n", + "if __name__ == \"__main__\":\n", + "\n", + " # These are the first circulant matrices being found by the circulant_mds_matrix()\n", + " # method above. These are precomputed for faster initiatialization of large Anemoi\n", + " # instances.\n", + " CIRCULANT_FP5_MDS_MATRIX = matrix.circulant([1, 1, 3, 4, 5])\n", + " CIRCULANT_FP6_MDS_MATRIX = matrix.circulant([1, 1, 3, 4, 5, 6])\n", + " CIRCULANT_FP7_MDS_MATRIX = matrix.circulant([1, 2, 3, 5, 5, 6, 7])\n", + " CIRCULANT_FP8_MDS_MATRIX = matrix.circulant([1, 2, 3, 5, 7, 8, 8, 9])\n", + " CIRCULANT_FP9_MDS_MATRIX = matrix.circulant([1, 3, 5, 6, 8, 9, 9, 10, 11])\n", + " CIRCULANT_FP10_MDS_MATRIX = matrix.circulant([1, 2, 5, 6, 8, 11, 11, 12, 13, 14])\n", + "\n", + " # 128-bit security level instantiations\n", + "\n", + " A_BLS_12_381_BASEFIELD_1_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_381_BASEFIELD,\n", + " n_cols=1,\n", + " security_level=128\n", + " )\n", + " A_BLS_12_381_BASEFIELD_2_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_381_BASEFIELD,\n", + " n_cols=2,\n", + " security_level=128\n", + " )\n", + " A_BLS_12_381_BASEFIELD_3_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_381_BASEFIELD,\n", + " n_cols=3,\n", + " security_level=128\n", + " )\n", + "\n", + " A_JUBJUB_BASEFIELD_1_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_381_SCALARFIELD,\n", + " n_cols=1,\n", + " security_level=128\n", + " )\n", + " A_JUBJUB_BASEFIELD_2_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_381_SCALARFIELD,\n", + " n_cols=2,\n", + " security_level=128\n", + " )\n", + " A_JUBJUB_BASEFIELD_3_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_381_SCALARFIELD,\n", + " n_cols=3,\n", + " security_level=128\n", + " )\n", + "\n", + " A_BLS_12_377_BASEFIELD_1_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_377_BASEFIELD,\n", + " n_cols=1,\n", + " security_level=128\n", + " )\n", + " A_BLS_12_377_BASEFIELD_2_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_377_BASEFIELD,\n", + " n_cols=2,\n", + " security_level=128\n", + " )\n", + " A_BLS_12_377_BASEFIELD_3_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_377_BASEFIELD,\n", + " n_cols=3,\n", + " security_level=128\n", + " )\n", + "\n", + " A_ED_ON_BLS_12_377_BASEFIELD_1_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_377_SCALARFIELD,\n", + " n_cols=1,\n", + " security_level=128\n", + " )\n", + " A_ED_ON_BLS_12_377_BASEFIELD_2_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_377_SCALARFIELD,\n", + " n_cols=2,\n", + " security_level=128\n", + " )\n", + " A_ED_ON_BLS_12_377_BASEFIELD_3_COL_128_BITS = AnemoiPermutation(\n", + " q=BLS12_377_SCALARFIELD,\n", + " n_cols=3,\n", + " security_level=128\n", + " )\n", + "\n", + " A_BN_254_BASEFIELD_1_COL_128_BITS = AnemoiPermutation(\n", + " q=BN_254_BASEFIELD,\n", + " n_cols=1,\n", + " security_level=128\n", + " )\n", + " A_BN_254_BASEFIELD_2_COL_128_BITS = AnemoiPermutation(\n", + " q=BN_254_BASEFIELD,\n", + " n_cols=2,\n", + " security_level=128\n", + " )\n", + " A_BN_254_BASEFIELD_3_COL_128_BITS = AnemoiPermutation(\n", + " q=BN_254_BASEFIELD,\n", + " n_cols=3,\n", + " security_level=128\n", + " )\n", + "\n", + " A_BN_254_SCALARFIELD_1_COL_128_BITS = AnemoiPermutation(\n", + " q=BN_254_SCALARFIELD,\n", + " n_cols=1,\n", + " security_level=128\n", + " )\n", + " A_BN_254_SCALARFIELD_2_COL_128_BITS = AnemoiPermutation(\n", + " q=BN_254_SCALARFIELD,\n", + " n_cols=2,\n", + " security_level=128\n", + " )\n", + " A_BN_254_SCALARFIELD_3_COL_128_BITS = AnemoiPermutation(\n", + " q=BN_254_SCALARFIELD,\n", + " n_cols=3,\n", + " security_level=128\n", + " )\n", + "\n", + " A_PALLAS_BASEFIELD_1_COL_128_BITS = AnemoiPermutation(\n", + " q=PALLAS_BASEFIELD,\n", + " n_cols=1,\n", + " security_level=128\n", + " )\n", + " A_PALLAS_BASEFIELD_2_COL_128_BITS = AnemoiPermutation(\n", + " q=PALLAS_BASEFIELD,\n", + " n_cols=2,\n", + " security_level=128\n", + " )\n", + " A_PALLAS_BASEFIELD_3_COL_128_BITS = AnemoiPermutation(\n", + " q=PALLAS_BASEFIELD,\n", + " n_cols=3,\n", + " security_level=128\n", + " )\n", + "\n", + " A_VESTA_BASEFIELD_1_COL_128_BITS = AnemoiPermutation(\n", + " q=VESTA_BASEFIELD,\n", + " n_cols=1,\n", + " security_level=128\n", + " )\n", + " A_VESTA_BASEFIELD_2_COL_128_BITS = AnemoiPermutation(\n", + " q=VESTA_BASEFIELD,\n", + " n_cols=2,\n", + " security_level=128\n", + " )\n", + " A_VESTA_BASEFIELD_3_COL_128_BITS = AnemoiPermutation(\n", + " q=VESTA_BASEFIELD,\n", + " n_cols=3,\n", + " security_level=128\n", + " )\n", + "\n", + " A_GOLDILOCKS_64_FIELD_4_COL_128_BITS = AnemoiPermutation(\n", + " q=GOLDILOCKS_64_FIELD,\n", + " n_cols=4,\n", + " security_level=128\n", + " )\n", + " A_GOLDILOCKS_64_FIELD_5_COL_128_BITS = AnemoiPermutation(\n", + " q=GOLDILOCKS_64_FIELD,\n", + " mat=CIRCULANT_FP5_MDS_MATRIX,\n", + " n_cols=5,\n", + " security_level=128)\n", + " A_GOLDILOCKS_64_FIELD_6_COL_128_BITS = AnemoiPermutation(\n", + " q=GOLDILOCKS_64_FIELD,\n", + " mat=CIRCULANT_FP6_MDS_MATRIX,\n", + " n_cols=6,\n", + " security_level=128)" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "4de5d23c", + "metadata": {}, + "outputs": [], + "source": [] + }, + { + "cell_type": "code", + "execution_count": 3, + "id": "55940b58", + "metadata": {}, + "outputs": [], + "source": [ + "A_2 = AnemoiPermutation(q=BLS12_381_SCALARFIELD, alpha=None, n_rounds=None, n_cols=1, security_level=128)\n", + "A_4 = AnemoiPermutation(q=BLS12_381_SCALARFIELD, alpha=None, n_rounds=None, n_cols=2, security_level=128)\n", + "A_8 = AnemoiPermutation(q=BLS12_381_SCALARFIELD, alpha=None, n_rounds=None, n_cols=4, security_level=128)" + ] + }, + { + "cell_type": "code", + "execution_count": 4, + "id": "1714dd8a", + "metadata": {}, + "outputs": [], + "source": [ + "def h4(a,b,c,d):\n", + " return jive(A_4,4,[a,b,c,d])[0]\n", + "def h2(x,y):\n", + " return jive(A_2,2,[x,y])[0]\n", + "def h16(a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p):\n", + " return jive(A_4,16,[a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p])[0]" + ] + }, + { + "cell_type": "code", + "execution_count": 5, + "id": "6fb511da", + "metadata": {}, + "outputs": [], + "source": [ + "F = FiniteField(52435875175126190479447740508185965837690552500527637822603658699938581184513)" + ] + }, + { + "cell_type": "code", + "execution_count": 9, + "id": "d149c137", + "metadata": {}, + "outputs": [], + "source": [ + "node = [F(52420321241384999566064542292299095305016967400362460415188733797566759865039)]" + ] + }, + { + "cell_type": "code", + "execution_count": 10, + "id": "1d57e955", + "metadata": {}, + "outputs": [], + "source": [ + "for i in range(32):\n", + " node.append(h2(node[len(node)-1],node[len(node)-1]))" + ] + }, + { + "cell_type": "code", + "execution_count": 11, + "id": "cec930f7", + "metadata": {}, + "outputs": [ + { + "data": { + "text/plain": [ + "[52420321241384999566064542292299095305016967400362460415188733797566759865039,\n", + " 34858305496126338994157940030491986528979209212364450444400553912850765881266,\n", + " 10060298215913168229635200403977750691324230455100780417729785627050381309370,\n", + " 37657570155741197049656950100032789787730277025585639680171537327433013443461,\n", + " 43105655934034421310242811462621484525299779534316435151634983301958386590294,\n", + " 26995182859207480491682003956450588969914099749120925411176915838714895859597,\n", + " 20506505055020577941071867474645787663044384365345823626928150837203592376386,\n", + " 28572094676551257704272872821343757206000648895775506512709995566916218827978,\n", + " 42524234163555570540586430006594798114476518357138366521973315347172229388899,\n", + " 41720788377705156799884270768728291039459929734546201246522570875378721139734,\n", + " 19457067441998710724584163548533636242139735070911298751448507771105190878240,\n", + " 8747845488093882108955302281707201874091653422842805672577538032173082380577,\n", + " 32991277692425495249603612794268597446471245662501917149041880681619316027114,\n", + " 30655955250074575922973891541584280309476230618462427477515213028232262267669,\n", + " 27589362888766877196787781531059520230924205436220782390585594394025165647971,\n", + " 15645944042222251287613100624160349973331200688824660057615726288833818756514,\n", + " 41103122236802131675820266308354013027201078225983702886429283924123677508556,\n", + " 3604164466072625520894970148301026556144753129448476532101785358537506096936,\n", + " 10585966731059558810772490617844611395546337996000903904158639165815316582412,\n", + " 44787298630363239445106426135114786217694920972141104035413355784967544392580,\n", + " 11772976849012656283054200415125989128435331342580385899899773526676914980414,\n", + " 15197006870489803770703282231645241096319546397552004839565531786070275618798,\n", + " 36398756779607558742883648673215853033540478201191947706475043044754192649893,\n", + " 38951794974737200048927570198923950704267440020829757596996165598475390602125,\n", + " 15900802340706488974605017961329535810615710838998007293710791187420339373597,\n", + " 35832135664352859533862622204762117961594057848987503662357696301651717440970,\n", + " 3937682840062878094199919914593715602931688125476849557109656097454977607844,\n", + " 19836996935489067263887759688182600655629071982397596249304526919529389472797,\n", + " 8093543369109841781730274069993144570875885414940499814911886408152141385107,\n", + " 28356127876292249971214936516736218558068803693719384306823563563957757910724,\n", + " 41961713207670554534854109355161769432029683361231582286797275988443399524548,\n", + " 8869703232174461463933555757474727782885662615993846320574348981267130192493,\n", + " 19862493525506141505206198326555704277551523209826035871691450692641445027728]" + ] + }, + "execution_count": 11, + "metadata": {}, + "output_type": "execute_result" + } + ], + "source": [ + "h2(node[len(node)-1],node[len(node)-1])" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "id": "e3109be1", + "metadata": {}, + "outputs": [], + "source": [] + } + ], + "metadata": { + "kernelspec": { + "display_name": "SageMath 9.5", + "language": "sage", + "name": "sagemath" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.10.12" + } + }, + "nbformat": 4, + "nbformat_minor": 5 +} diff --git a/Proof of Leadership/anemoi/anemoi_16_to_1_Jubjub.circom b/Proof of Leadership/anemoi/anemoi_16_to_1_Jubjub.circom new file mode 100644 index 0000000..972dafc --- /dev/null +++ b/Proof of Leadership/anemoi/anemoi_16_to_1_Jubjub.circom @@ -0,0 +1,184 @@ +//test +pragma circom 2.1.9; + +include "anemoi_Jubjub_16_to_1_constants.circom"; + +template ark_layer_16_to_1(round_number) { + assert(round_number < 10); + + signal input in[16]; + signal output out[16]; + + var C[10][8] = C_16_to_1(); + var D[10][8] = D_16_to_1(); + + for(var i=0; i<8; i++){ + out[i] <== in[i] + C[round_number][i]; + out[8+i] <== in[8+i] + D[round_number][i]; + } +} + +template pow_alpha_16_to_1() { // ALPHA = 5 + signal input in; + signal output out; + + signal in2; + signal in4; + + in2 <== in*in; + in4 <== in2 * in2; + out <== in4 * in; +} + +template mds_layer_16_to_1() { + signal input in[16]; + signal output out[16]; + + /* M_x= [1 2 3 5 7 8 8 9] + [9 1 2 3 5 7 8 8] + [8 9 1 2 3 5 7 8] + [8 8 9 1 2 3 5 7] + [7 8 8 9 1 2 3 5] + [5 7 8 8 9 1 2 3] + [3 5 7 8 8 9 1 2] + [2 3 5 7 8 8 9 1] */ + + signal x[8]; + signal y[8]; + + x[0] <== 1*in[0] + 2*in[1] + 3*in[2] + 5*in[3] + 7*in[4] + 8*in[5] + 8*in[6] + 9*in[7]; + x[1] <== 9*in[0] + 1*in[1] + 2*in[2] + 3*in[3] + 5*in[4] + 7*in[5] + 8*in[6] + 8*in[7]; + x[2] <== 8*in[0] + 9*in[1] + 1*in[2] + 2*in[3] + 3*in[4] + 5*in[5] + 7*in[6] + 8*in[7]; + x[3] <== 8*in[0] + 8*in[1] + 9*in[2] + 1*in[3] + 2*in[4] + 3*in[5] + 5*in[6] + 7*in[7]; + x[4] <== 7*in[0] + 8*in[1] + 8*in[2] + 9*in[3] + 1*in[4] + 2*in[5] + 3*in[6] + 5*in[7]; + x[5] <== 5*in[0] + 7*in[1] + 8*in[2] + 8*in[3] + 9*in[4] + 1*in[5] + 2*in[6] + 3*in[7]; + x[6] <== 3*in[0] + 5*in[1] + 7*in[2] + 8*in[3] + 8*in[4] + 9*in[5] + 1*in[6] + 2*in[7]; + x[7] <== 2*in[0] + 3*in[1] + 5*in[2] + 7*in[3] + 8*in[4] + 8*in[5] + 9*in[6] + 1*in[7]; + + y[0] <== 1*in[9] + 2*in[10] + 3*in[11] + 5*in[12] + 7*in[13] + 8*in[14] + 8*in[15] + 9*in[8]; + y[1] <== 9*in[9] + 1*in[10] + 2*in[11] + 3*in[12] + 5*in[13] + 7*in[14] + 8*in[15] + 8*in[8]; + y[2] <== 8*in[9] + 9*in[10] + 1*in[11] + 2*in[12] + 3*in[13] + 5*in[14] + 7*in[15] + 8*in[8]; + y[3] <== 8*in[9] + 8*in[10] + 9*in[11] + 1*in[12] + 2*in[13] + 3*in[14] + 5*in[15] + 7*in[8]; + y[4] <== 7*in[9] + 8*in[10] + 8*in[11] + 9*in[12] + 1*in[13] + 2*in[14] + 3*in[15] + 5*in[8]; + y[5] <== 5*in[9] + 7*in[10] + 8*in[11] + 8*in[12] + 9*in[13] + 1*in[14] + 2*in[15] + 3*in[8]; + y[6] <== 3*in[9] + 5*in[10] + 7*in[11] + 8*in[12] + 8*in[13] + 9*in[14] + 1*in[15] + 2*in[8]; + y[7] <== 2*in[9] + 3*in[10] + 5*in[11] + 7*in[12] + 8*in[13] + 8*in[14] + 9*in[15] + 1*in[8]; + + for(var i=0; i<8; i++){ + out[8+i] <== x[i] + y[i]; + out[i] <== x[i] + out[8+i]; + } +} + + +template s_box_16_to_1() { + signal input in[16]; + signal output out[16]; + + + //Computation using open Flystel + var x[8]; + var y[8]; + + for(var i=0; i<8; i++){ + x[i] = in[i]; + y[i] = in[8+i]; + x[i] = x[i] - 7 * (y[i]**2); + y[i] = y[i] - (x[i]**20974350070050476191779096203274386335076221000211055129041463479975432473805); // 1/ALPHA + x[i] = x[i] + 7 * (y[i]**2) + 14981678621464625851270783002338847382197300714436467949315331057125308909861; // DELTA + out[i] <-- x[i]; + out[8+i] <-- y[i]; + } + + //Verification using closed Flystel + component pow[8]; + signal y2[8]; + signal v2[8]; + + for(var i=0; i<8; i++){ + pow[i] = pow_alpha_16_to_1(); + pow[i].in <== in[8+i] - out[8+i]; + y2[i] <== in[8+i]*in[8+i]; + v2[i] <== out[8+i]*out[8+i]; + in[i] === pow[i].out + 7 * y2[i]; + out[i] === pow[i].out + 7 * v2[i] + 14981678621464625851270783002338847382197300714436467949315331057125308909861;// DELTA + } +} + +template round_16_to_1(round_number) { + signal input in[16]; + signal output out[16]; + + component cst = ark_layer_16_to_1(round_number); + component mds = mds_layer_16_to_1(); + component sbox = s_box_16_to_1(); + + for(var i=0; i<16; i++){ + cst.in[i] <== in[i]; + } + for(var i=0; i<16; i++){ + mds.in[i] <== cst.out[i]; + } + for(var i=0; i<16; i++){ + sbox.in[i] <== mds.out[i]; + } + for(var i=0; i<16; i++){ + out[i] <== sbox.out[i]; + } +} + +template permutation_16_to_1(){ + signal input in[16]; + signal output out[16]; + + component rounds[10]; + component mds = mds_layer_16_to_1(); + + for(var i = 0; i<10; i++){ //10 rounds + rounds[i] = round_16_to_1(i); + if(i==0){ + for(var j=0; j<16; j++){ + rounds[i].in[j] <== in[j]; + } + } else { + for(var j=0; j<16; j++){ + rounds[i].in[j] <== rounds[i-1].out[j]; + } + } + } + for(var i=0; i<16; i++){ + mds.in[i] <== rounds[9].out[i]; + } + for(var i=0; i<16; i++){ + out[i] <== mds.out[i]; + } +} + +template hash_16_to_1(){ + signal input in[16]; + signal output out; + + component perm = permutation_16_to_1(); + for(var i=0; i<16; i++){ + perm.in[i] <== in[i]; + } + + out <== in[0] + perm.out[0] + + in[1] + perm.out[1] + + in[2] + perm.out[2] + + in[3] + perm.out[3] + + in[4] + perm.out[4] + + in[5] + perm.out[5] + + in[6] + perm.out[6] + + in[7] + perm.out[7] + + in[8] + perm.out[8] + + in[9] + perm.out[9] + + in[10] + perm.out[10] + + in[11] + perm.out[11] + + in[12] + perm.out[12] + + in[13] + perm.out[13] + + in[14] + perm.out[14] + + in[15] + perm.out[15]; +} + +//component main = hash_16_to_1(); \ No newline at end of file diff --git a/Proof of Leadership/anemoi/anemoi_2_to_1_Jubjub.circom b/Proof of Leadership/anemoi/anemoi_2_to_1_Jubjub.circom new file mode 100644 index 0000000..8061322 --- /dev/null +++ b/Proof of Leadership/anemoi/anemoi_2_to_1_Jubjub.circom @@ -0,0 +1,122 @@ +//test +pragma circom 2.1.9; + +include "anemoi_Jubjub_2_to_1_constants.circom"; + +template ark_layer_2_to_1(round_number) { + assert(round_number < 21); + + signal input in[2]; + signal output out[2]; + + var C[21] = C_2_to_1(); + var D[21] = D_2_to_1(); + + out[0] <== in[0] + C[round_number]; + out[1] <== in[1] + D[round_number]; +} + +template pow_alpha_2_to_1() { // ALPHA = 5 + signal input in; + signal output out; + + signal in2; + signal in4; + + in2 <== in*in; + in4 <== in2 * in2; + out <== in4 * in; +} + +template mds_layer_2_to_1() { + signal input in[2]; + signal output out[2]; + + out[1] <== in[1] + in[0]; + out[0] <== in[0] + out[1]; +} + +template s_box_2_to_1() { + signal input in[2]; + signal output out[2]; + + + //Calculation using open Flystel + var x; + var y; + x = in[0]; + y = in[1]; + + x = x - 7 * (y**2); + y = y - (x**20974350070050476191779096203274386335076221000211055129041463479975432473805); // 1/ALPHA + x = x + 7 * (y**2) + 14981678621464625851270783002338847382197300714436467949315331057125308909861; //DELTA + out[0] <-- x; + out[1] <-- y; + + + //Verification using closed Flystel + + component pow = pow_alpha_2_to_1(); + pow.in <== in[1] - out[1]; + + signal y2; + signal v2; + y2 <== in[1]*in[1]; + v2 <==out[1]*out[1]; + in[0] === pow.out + 7 * y2; + out[0] === pow.out + 7 * v2 + 14981678621464625851270783002338847382197300714436467949315331057125308909861;// DELTA +} + +template round_2_to_1(round_number) { + signal input in[2]; + signal output out[2]; + + component cst = ark_layer_2_to_1(round_number); + component mds = mds_layer_2_to_1(); + component sbox = s_box_2_to_1(); + + cst.in[0] <== in[0]; + cst.in[1] <== in[1]; + mds.in[0] <== cst.out[0]; + mds.in[1] <== cst.out[1]; + sbox.in[0] <== mds.out[0]; + sbox.in[1] <== mds.out[1]; + out[0] <== sbox.out[0]; + out[1] <== sbox.out[1]; +} + +template permutation_2_to_1(){ + signal input in[2]; + signal output out[2]; + + component rounds[21]; + component mds = mds_layer_2_to_1(); + + for(var i = 0; i<21; i++){ //21 rounds + rounds[i] = round_2_to_1(i); + if(i==0){ + rounds[i].in[0] <== in[0]; + rounds[i].in[1] <== in[1]; + } else { + rounds[i].in[0] <== rounds[i-1].out[0]; + rounds[i].in[1] <== rounds[i-1].out[1]; + } + } + mds.in[0] <== rounds[20].out[0]; + mds.in[1] <== rounds[20].out[1]; + out[0] <== mds.out[0]; + out[1] <== mds.out[1]; +} + +template hash_2_to_1(){ + signal input in[2]; + signal output out; + + component perm = permutation_2_to_1(); + perm.in[0] <== in[0]; + perm.in[1] <== in[1]; + + out <== in[0] + perm.out[0] + in[1] + perm.out[1]; +} + +//component main = hash_2_to_1(); \ No newline at end of file diff --git a/Proof of Leadership/anemoi/anemoi_4_to_1_Jubjub.circom b/Proof of Leadership/anemoi/anemoi_4_to_1_Jubjub.circom new file mode 100644 index 0000000..4f2e7b9 --- /dev/null +++ b/Proof of Leadership/anemoi/anemoi_4_to_1_Jubjub.circom @@ -0,0 +1,179 @@ +//test +pragma circom 2.1.9; + +include "anemoi_Jubjub_4_to_1_constants.circom"; + +template ark_layer_4_to_1(round_number) { + assert(round_number < 14); + + signal input in[4]; + signal output out[4]; + + var C[14][2] = C_4_to_1(); + var D[14][2] = D_4_to_1(); + + out[0] <== in[0] + C[round_number][0]; + out[1] <== in[1] + C[round_number][1]; + out[2] <== in[2] + D[round_number][0]; + out[3] <== in[3] + D[round_number][1]; +} + +template pow_alpha_4_to_1() { // ALPHA = 5 + signal input in; + signal output out; + + signal in2; + signal in4; + + in2 <== in*in; + in4 <== in2 * in2; + out <== in4 * in; +} + +template mds_layer_4_to_1() { + signal input in[4]; + signal output out[4]; + + signal x0; + signal x1; + signal y0; + signal y1; + + x0 <== in[0] + 7*in[1]; + x1 <== 7*in[0] + 50*in[1]; + + y0 <== in[3] + 7*in[2]; + y1 <== 7*in[3] + 50*in[2]; + + out[2] <== y0 + x0; + out[3] <== y1 + x1; + out[0] <== x0 + out[2]; + out[1] <== x1 + out[3]; +} + + +template s_box_4_to_1() { + signal input in[4]; + signal output out[4]; + + + //Calculation using open Flystel + var x0; + var y0; + x0 = in[0]; + y0 = in[2]; + + x0 = x0 - 7 * (y0**2); + y0 = y0 - (x0**20974350070050476191779096203274386335076221000211055129041463479975432473805); // 1/ALPHA + x0 = x0 + 7 * (y0**2) + 14981678621464625851270783002338847382197300714436467949315331057125308909861; //DELTA + + var x1; + var y1; + x1 = in[1]; + y1 = in[3]; + + x1 = x1 - 7 * (y1**2); + y1 = y1 - (x1**20974350070050476191779096203274386335076221000211055129041463479975432473805); // 1/ALPHA + x1 = x1 + 7 * (y1**2) + 14981678621464625851270783002338847382197300714436467949315331057125308909861; //DELTA + + out[0] <-- x0; + out[1] <-- x1; + out[2] <-- y0; + out[3] <-- y1; + + + //Verification using closed Flystel + + component pow[2]; + pow[0] = pow_alpha_4_to_1(); + pow[1] = pow_alpha_4_to_1(); + + + pow[0].in <== in[2] - out[2]; + signal y0_2; + signal v0_2; + y0_2 <== in[2]*in[2]; + v0_2 <==out[2]*out[2]; + in[0] === pow[0].out + 7 * y0_2; + out[0] === pow[0].out + 7 * v0_2 + 14981678621464625851270783002338847382197300714436467949315331057125308909861;// DELTA + + pow[1].in <== in[3] - out[3]; + signal y1_2; + signal v1_2; + y1_2 <== in[3]*in[3]; + v1_2 <==out[3]*out[3]; + in[1] === pow[1].out + 7 * y1_2; + out[1] === pow[1].out + 7 * v1_2 + 14981678621464625851270783002338847382197300714436467949315331057125308909861;// DELTA +} + +template round_4_to_1(round_number) { + signal input in[4]; + signal output out[4]; + + component cst = ark_layer_4_to_1(round_number); + component mds = mds_layer_4_to_1(); + component sbox = s_box_4_to_1(); + + cst.in[0] <== in[0]; + cst.in[1] <== in[1]; + cst.in[2] <== in[2]; + cst.in[3] <== in[3]; + mds.in[0] <== cst.out[0]; + mds.in[1] <== cst.out[1]; + mds.in[2] <== cst.out[2]; + mds.in[3] <== cst.out[3]; + sbox.in[0] <== mds.out[0]; + sbox.in[1] <== mds.out[1]; + sbox.in[2] <== mds.out[2]; + sbox.in[3] <== mds.out[3]; + out[0] <== sbox.out[0]; + out[1] <== sbox.out[1]; + out[2] <== sbox.out[2]; + out[3] <== sbox.out[3]; +} + +template permutation_4_to_1(){ + signal input in[4]; + signal output out[4]; + + component rounds[14]; + component mds = mds_layer_4_to_1(); + + for(var i = 0; i<14; i++){ //14 rounds + rounds[i] = round_4_to_1(i); + if(i==0){ + rounds[i].in[0] <== in[0]; + rounds[i].in[1] <== in[1]; + rounds[i].in[2] <== in[2]; + rounds[i].in[3] <== in[3]; + } else { + rounds[i].in[0] <== rounds[i-1].out[0]; + rounds[i].in[1] <== rounds[i-1].out[1]; + rounds[i].in[2] <== rounds[i-1].out[2]; + rounds[i].in[3] <== rounds[i-1].out[3]; + } + } + mds.in[0] <== rounds[13].out[0]; + mds.in[1] <== rounds[13].out[1]; + mds.in[2] <== rounds[13].out[2]; + mds.in[3] <== rounds[13].out[3]; + out[0] <== mds.out[0]; + out[1] <== mds.out[1]; + out[2] <== mds.out[2]; + out[3] <== mds.out[3]; +} + +template hash_4_to_1(){ + signal input in[4]; + signal output out; + + component perm = permutation_4_to_1(); + perm.in[0] <== in[0]; + perm.in[1] <== in[1]; + perm.in[2] <== in[2]; + perm.in[3] <== in[3]; + + out <== in[0] + perm.out[0] + in[1] + perm.out[1] + in[2] + perm.out[2] + in[3] + perm.out[3]; +} + +//component main = hash_4_to_1(); \ No newline at end of file diff --git a/Proof of Leadership/anemoi/anemoi_Jubjub_16_to_1_constants.circom b/Proof of Leadership/anemoi/anemoi_Jubjub_16_to_1_constants.circom new file mode 100644 index 0000000..88e5e97 --- /dev/null +++ b/Proof of Leadership/anemoi/anemoi_Jubjub_16_to_1_constants.circom @@ -0,0 +1,174 @@ +//test +pragma circom 2.1.9; + +function C_16_to_1() { + return + [ + [39, + 17756515227822460609684409997111995494590448775258437999344446424780281143353, + 10188916128123599964772546147951904500865009616764646948187915341627970346879, + 3814237141406755457246679946340702245820791055503616462386588886553626328449, + 31231358838611540266091127386940316382485316827738464579249222989762089961618, + 3726010289701932654130304682574596267996890432970838266711107863585526844332, + 36992578177313978374320714629037014712724552282717071185860782184820525992055, + 6539662723010541897260760345121608837413747021964775102659796495628351576700], + [41362478282768062297187132445775312675360473883834860695283235286481594490621, + 3384073892082712848969991795331397937188893616190315628722966662742467187281, + 38536464596998108028197905645250196649287447208374169339784649587982292038621, + 37592197675289757358471908199906415982484124338112374453435292524131427342810, + 23880328728725835218995126249367316438768592574548525705412373412647097582882, + 48825064577758348008118486787590853038041005302054740877940928369291358302191, + 50534173420081783859714292066423124353911378857266355124747257390448683204724, + 7428946804745276726594228607058422733621008211707460976374155647815125702793], + [9548818195234740988996233204400874453525674173109474205108603996010297049928, + 51311880822158488881090781617710146800056386303122657365679608608648067582435, + 24596965950552905296088269899880882549715354660832391374009234980535928382152, + 34036826250287807194659359129722586818079652442547178531030410684351456041117, + 47245638746867242507412562212796342461134942817161752237394648503282879275118, + 31300595906266724771648800100316060631685700019604649908550024867487861705279, + 3785144237087232802472944225009874259820952161256157218342463192641540401693, + 13192072039732854032991114991329331830093509159172499125522354840599160152710], + [25365440569177822667580105183435418073995888230868180942004497015015045856900, + 29347609441914902330741511702270026847909178228078752565372729158237774700914, + 14356478667385969079309349540394948109414829921001045845599553435706989367858, + 9488013611624811735432450930006811652991761655550510302915118428283918068143, + 46788925259457988525082226160565541608877312582477767975013905645120335169226, + 39167900530643229840202791109535532972977251341471019870612379478843295475401, + 35468869056801697991539514623685427699753784556397696975236370718172619478088, + 10386758415207822166675671630819234802877311049149240741713298889822859300210], + [34023498397393406644117994167986720327178154686105264833093891093045919619309, + 2339620320400167830454536231899316133967303509954474267430948538955691907104, + 12136748919666286297989154404429099226154686992028401568133058190732008277996, + 19442569822772655270268482835742480365499256802520510905846953360427433130058, + 6121842489566508888444793919988648467487285035515564826894797322329857604679, + 52423305139993282549959548255411402052505266722715464547641713196825757370045, + 721115880708783722056278375691123676170968994983418732948150001331611213553, + 28368777671879812853105774722579268517023359292257929653599900440020077784493], + [38816051319719761886041858113129205506758421478656182868737326994635468402951, + 27338042530319738113354246208426108832239651080023276643867223794985578055610, + 15580674179713644540398409523441814073810768449493940562136422009899312699155, + 4362660876979205605782410963041525734654031488177761934879852229226211686053, + 11650586156654079013116836535888803264128748996614961532114710040258230535152, + 19531964257180260867876509318520389540889883401661971174170106848135773712126, + 28219700779483915272028450015085470411949576744039967576016029120273878374251, + 33474277480452546775130924043517012470949538154685955521260479155699441559340], + [35167418087531820804128377095512663922179887277669504047069913414630376083753, + 42192983528513372869128514327443204912824559545179630597589572656156258515752, + 47389212411441573266379092392931599970417884729397156841216318364858334633325, + 41487656259632727393098274178738763934249662924287956242704596746920012242443, + 47585046162349898019384381324380934361400616741262019467964248889992556789636, + 22864477306086472394102077909444955034170624450796904926669386049666664492257, + 13351050514115985199153581050320477287713057625178307041078042677800880924875, + 37405300160039662564807777381564989963058089105400420537288945543199341594301], + [25885868839756469722325652387535232478219821850603640827385444642154834700231, + 42721818980548514490325424436763032046927347769153393863616095871384405840432, + 5855288403637341107158034195599277569854359593529752399086836976954392351035, + 18845851722124019325834426094831743068408557621685658713002749358354699910772, + 33256528590007803378062158842587476459976080810702643409997408348306082386089, + 2234591446681396008493892860306849390171100567645872660203494363121541667798, + 194686086885408743916631695867994306362987352657004869135407425114760399927, + 28761022534147935351682915336446217569572759443228321225221961720692449395484], + [8867588811641202981080659274007552529205713737251862066053445622305818871963, + 23473499332437056484066006746048591864129988909190267521144125882222313735740, + 5696063807157149622355481994320806474692190935543821893362808351446578125354, + 48558031599255072862103809681060565464555437399403822458902024251997890071747, + 29805490370918962312941798594103721605222271424104745148638516522088829641991, + 37489036434356676843050473824100415300808075220521554146913930229334867812254, + 11631357050894820069054650807562155039191303868752185889040197345022629525927, + 24660767228992591228910666543569781024799661249145320635218341313794706416082], + [36439756010140137556111047750162544185710881404522379792044818039722752946048, + 16497366583607480604161417644040292299204496829635795525393416854929276060989, + 31479323495970113713816467604460499675889579912370034974841212556442942086146, + 52327065242455117582590188333899352706031813782154293138553490341266149456684, + 22462223600300108924276123720518708580622354327562062947406284488847554180931, + 40996278729170725855966064159584167091102415184996744640950022676164065046834, + 19430817579416357934148820670939901668848861606295052060308554899051486801548, + 12483379002100433076591219143638049458199676871775181258981956241115974881163] + ]; +} + +function D_16_to_1() { + return + [ + [14981678621464625851270783002338847382197300714436467949315331057125308909900, + 48720959343719104324739338388885839802998711550637402773896395605948383052052, + 11709610427641952476226704950218052763560489079301307464225164120801969364960, + 3188799073106888901912065951229864304299742047220134499402570163601813730969, + 35055566170683830204685883433867693478135114051401583710007741398997412970579, + 41969389849183863090802087476567191363990360356945841340095187311995419576515, + 7556226394164164334481570938023506204252451033715203682883249970224239802922, + 17176882240248932567902590122153974429675966351354956648777145117980813990398], + [28253420209785428420233456008091632509255652343634529984400816700490470131093, + 6257781313532096835800460747082714697295034136932481743077166200794135826591, + 11966422202069200811427605007493817363680804416274031195624148724039857787313, + 8876022912542631074912834764773050492660953075192093830253524158063181475941, + 52049674541477055908813163364458131823806820044102483998576800878704568506967, + 6541832267666828237118069633374954748041800470865307468523599474646236580472, + 45442960117610900571098429443573054134827707854155326784175634232674544930715, + 42411304802662598148459339452254226615271657786988481684897413326989736031615], + [51511939407083344002778208487678590135577660247075600880835916725469990319313, + 4386017178186728799761421274050927732938229436976005221436222062273391481632, + 663227665329044490605880474899933274574966982371072793854806732105730575244, + 7956955597245727322388196907364651338722736293265717471854714933795446618648, + 25615413494197319129070770032476622018948872899826892271961489884914005459090, + 44089542881006441891384034667061558189843302802581673885742427288293557612473, + 1330235044321395925144992814935234051203536271783948441776912650379638572084, + 50810734147355221866144137049300565722210413848092339398051685135286006925932], + [46291121544435738125248657675097664742296276807186696922340332893747842754587, + 13820180736478645172746469075181304604729976364812127548341524461074783412926, + 21821175320697611197161277831984495658213397245419754392657307036488476373765, + 14806577897118234786495606424219372997573800509149076370951604526939593458489, + 4121259770197377590627011188630352152939645167495297314189270176024564981500, + 30919407268792259403824602884665561517383256626800433152413305048922095010897, + 11976519627445173558098140421995318477384771169277877503279343325183821276781, + 26967980286239502443715270897174999681242618240421470318851152333782809701734], + [3650460179273129580093806058710273018999560093475503119057680216309578390988, + 40385222771838099109662234020243831589690223478794847201235014486200724862134, + 20738601554725926373596082603265918636164823648026470243422423735982938342408, + 25898290090014076279086638237202313571292864987698437102115051403552551578909, + 17027208157180086391192319363486696710451739452640092116905432497642111659971, + 45311967859890310071336359937788702458122841339624237957674250711373999964046, + 30801797608226447725817644589434252152704077439970597211826393252750837255264, + 46087155524659491087900373896182305256600235815109519358969365828449471244522], + [45802223370746268123059159806400152299867771061127345631244786118574025749328, + 50306980075778262214155693291132052551559962723436936231611301042966928400825, + 9105861908793877437599087016640061747418296780065295891365798855886560153752, + 48177591413367409915642056167048753041735583848456612607691620273026228709602, + 7479286918288249337458111273748279770690595088312775476065356516306801980629, + 49779837246224071690294810803445084047795402193671669060746314363358914880825, + 43223717601022172097383565523190027152080076863600432708834283672429421806147, + 36115990427252817831519272511481477474123806352110831880569955844865152409554], + [11798621276624967315721748990709309216351696098813162382053396097866233042733, + 34806952212038537244506031612074847133207330427265785757809673463434908473570, + 10559431278588446438155840088055546145087872298641007742921718770142881700525, + 2511742758961381498086249076485723904703122022711664665388729650078747694082, + 13058778062050708618301726264166109369024922071632328984390918925338427847716, + 22757381433196923491096449596295348042138602481479098385721617124187105273559, + 50435973648847072778532507268536698366596569483938905568975979489192305153887, + 9692044244906573895772196051455153467294816541497792469074445791662352057118], + [42372918959432199162670834641599336326433006968669415662488070504036922966492, + 22755759419530071315007011572076166983660942447634027701351681157370705921018, + 8881354201366797207686592249590682298565723459695719800911380560885170725516, + 19725785152035256359574211351446161592903393017031483635806025440159666669692, + 38586107420291196905731314141240110021641762437995069426543221562298184751450, + 41983342504374430034240074906024700952180454895250182619374868616288213756381, + 24699580977072888772599627764765708101597323007812082074548828715213834751707, + 40903613549597429611399144365203839627850863176247809657126605147801691165582], + [52181371244193189669553521955614617990714056725501643636576377752669773323445, + 30334172084294870556875274308904688414158741457854908094300017436690480001547, + 35548861917762862971011720475855172816698712671893796030607658203859222685056, + 23828822166916376664523534857031979764654878164406016294521947902346141831375, + 9525926338952422609290893812113350942492558421053540078000977304624217008060, + 51628644629799777637476595789175262638422034917782233018901952051044824901545, + 10527109078832366866417586795816864610030244893563632007270266203664988878415, + 11194215382192152257306835491684398858682370351821177979939632309447233186888], + [23791984554824031672195249524658580601428376029501889159059009332107176394097, + 19832360622723392584029764807971325641132953515557801717644226271356492507876, + 5370567718707734490084045178883836972105253285449736908577321570876055642415, + 24072177097374519292068993110945703798030958684413852593268331853573451397392, + 51092856030717857607132039047789240547482897962295861318467321833280572912593, + 51610208211871924557451265725733951220616079019514789132032962359833072317205, + 14800890894612002638570836260269548031587506768363863797633541619652896335116, + 47927023617684282491494208201013569921672642612236042045401823798666133017562] + ]; +} diff --git a/Proof of Leadership/anemoi/anemoi_Jubjub_2_to_1_constants.circom b/Proof of Leadership/anemoi/anemoi_Jubjub_2_to_1_constants.circom new file mode 100644 index 0000000..0c1a3e6 --- /dev/null +++ b/Proof of Leadership/anemoi/anemoi_Jubjub_2_to_1_constants.circom @@ -0,0 +1,56 @@ +//test +pragma circom 2.1.9; + +function C_2_to_1() { + return + [ + 39, + 41362478282768062297187132445775312675360473883834860695283235286481594490621, + 9548818195234740988996233204400874453525674173109474205108603996010297049928, + 25365440569177822667580105183435418073995888230868180942004497015015045856900, + 34023498397393406644117994167986720327178154686105264833093891093045919619309, + 38816051319719761886041858113129205506758421478656182868737326994635468402951, + 35167418087531820804128377095512663922179887277669504047069913414630376083753, + 25885868839756469722325652387535232478219821850603640827385444642154834700231, + 8867588811641202981080659274007552529205713737251862066053445622305818871963, + 36439756010140137556111047750162544185710881404522379792044818039722752946048, + 7788624504122357216765350546787885309160020166693449889975992574536033007374, + 3134147137704626983201116226440762775442116005053282329971088789984415999550, + 50252287380741824818995733304361249016282047978221591906573165442023106203143, + 48434698978712278012409706205559577163572452744833134361195687109159129985373, + 32960510617530186159512413633821386297955642598241661044178889571655571939473, + 12850897859166761094422335671106280470381427571695744605265713866647560628356, + 14578036872634298798382048587794204613583128573535557156943783762854124345644, + 21588109842058901916690548710649523388049643745013696896704903154857389904594, + 35731638686520516424752846654442973203189295883541072759390882351699754104989, + 34141830003233180772153845227433233456603143306530920011579259084215824391544, + 30272543670850635882116596228256005460817517173808721139136515002908946750291 + ]; +} + +function D_2_to_1() { + return + [ + 14981678621464625851270783002338847382197300714436467949315331057125308909900, + 28253420209785428420233456008091632509255652343634529984400816700490470131093, + 51511939407083344002778208487678590135577660247075600880835916725469990319313, + 46291121544435738125248657675097664742296276807186696922340332893747842754587, + 3650460179273129580093806058710273018999560093475503119057680216309578390988, + 45802223370746268123059159806400152299867771061127345631244786118574025749328, + 11798621276624967315721748990709309216351696098813162382053396097866233042733, + 42372918959432199162670834641599336326433006968669415662488070504036922966492, + 52181371244193189669553521955614617990714056725501643636576377752669773323445, + 23791984554824031672195249524658580601428376029501889159059009332107176394097, + 33342520831620303764059548442834699069640109058400548818586964467754352720368, + 16791548253207744974576845515705461794133799104808996134617754018912057476556, + 11087343419860825311828133337767238110556416596687749174422888171911517001265, + 11931207770538477937808955037363240956790374856666237106403111503668796872571, + 3296943608590459582451043049934874894049468383833500962645016062634514172805, + 7080580976521357573320018355401935489220216583936865937104131954142364033647, + 25990144965911478244481527888046366474489820502460615136523859419965697796405, + 33907313384235729375566529911940467295099705980234607934575786561097199483218, + 25996950265608465541351207283024962044374873682152889814392533334239395044136, + 17878892320641464292190655092475335317049416605865175118054314040434534086821, + 25443622609028754422863910981890932539396181992608938932620284900889552530362 + ]; +} diff --git a/Proof of Leadership/anemoi/anemoi_Jubjub_4_to_1_constants.circom b/Proof of Leadership/anemoi/anemoi_Jubjub_4_to_1_constants.circom new file mode 100644 index 0000000..eb00d61 --- /dev/null +++ b/Proof of Leadership/anemoi/anemoi_Jubjub_4_to_1_constants.circom @@ -0,0 +1,70 @@ +//test +pragma circom 2.1.9; + +function C_4_to_1() { + return + [ + [39, + 17756515227822460609684409997111995494590448775258437999344446424780281143353], + [41362478282768062297187132445775312675360473883834860695283235286481594490621, + 3384073892082712848969991795331397937188893616190315628722966662742467187281], + [9548818195234740988996233204400874453525674173109474205108603996010297049928, + 51311880822158488881090781617710146800056386303122657365679608608648067582435], + [25365440569177822667580105183435418073995888230868180942004497015015045856900, + 29347609441914902330741511702270026847909178228078752565372729158237774700914], + [34023498397393406644117994167986720327178154686105264833093891093045919619309, + 2339620320400167830454536231899316133967303509954474267430948538955691907104], + [38816051319719761886041858113129205506758421478656182868737326994635468402951, + 27338042530319738113354246208426108832239651080023276643867223794985578055610], + [35167418087531820804128377095512663922179887277669504047069913414630376083753, + 42192983528513372869128514327443204912824559545179630597589572656156258515752], + [25885868839756469722325652387535232478219821850603640827385444642154834700231, + 42721818980548514490325424436763032046927347769153393863616095871384405840432], + [8867588811641202981080659274007552529205713737251862066053445622305818871963, + 23473499332437056484066006746048591864129988909190267521144125882222313735740], + [36439756010140137556111047750162544185710881404522379792044818039722752946048, + 16497366583607480604161417644040292299204496829635795525393416854929276060989], + [7788624504122357216765350546787885309160020166693449889975992574536033007374, + 16727395967350522643500778393489915391834352737211416857240725807058479128000], + [3134147137704626983201116226440762775442116005053282329971088789984415999550, + 46525506418681456193255596516104416743523037046982280449529426136392814992763], + [50252287380741824818995733304361249016282047978221591906573165442023106203143, + 46030886964045328670650579467522042981756109464584907077434772786649263902996], + [48434698978712278012409706205559577163572452744833134361195687109159129985373, + 19216533213230709497947223526297848065365334472367022650183395435586190711770] + ]; +} + +function D_4_to_1() { + return + [ + [14981678621464625851270783002338847382197300714436467949315331057125308909900, + 48720959343719104324739338388885839802998711550637402773896395605948383052052], + [28253420209785428420233456008091632509255652343634529984400816700490470131093, + 6257781313532096835800460747082714697295034136932481743077166200794135826591], + [51511939407083344002778208487678590135577660247075600880835916725469990319313, + 4386017178186728799761421274050927732938229436976005221436222062273391481632], + [46291121544435738125248657675097664742296276807186696922340332893747842754587, + 13820180736478645172746469075181304604729976364812127548341524461074783412926], + [3650460179273129580093806058710273018999560093475503119057680216309578390988, + 40385222771838099109662234020243831589690223478794847201235014486200724862134], + [45802223370746268123059159806400152299867771061127345631244786118574025749328, + 50306980075778262214155693291132052551559962723436936231611301042966928400825], + [11798621276624967315721748990709309216351696098813162382053396097866233042733, + 34806952212038537244506031612074847133207330427265785757809673463434908473570], + [42372918959432199162670834641599336326433006968669415662488070504036922966492, + 22755759419530071315007011572076166983660942447634027701351681157370705921018], + [52181371244193189669553521955614617990714056725501643636576377752669773323445, + 30334172084294870556875274308904688414158741457854908094300017436690480001547], + [23791984554824031672195249524658580601428376029501889159059009332107176394097, + 19832360622723392584029764807971325641132953515557801717644226271356492507876], + [33342520831620303764059548442834699069640109058400548818586964467754352720368, + 5828182614154296575131381170785760240834851189333374788484657124381010655319], + [16791548253207744974576845515705461794133799104808996134617754018912057476556, + 23729797853490401568967730686618146850735129707152853256809050789424668284094], + [11087343419860825311828133337767238110556416596687749174422888171911517001265, + 22848708497596347027267124890363029002241440143993561170521113640580467699956], + [11931207770538477937808955037363240956790374856666237106403111503668796872571, + 51131682674615117766578358255722474622484771145670260043231096654077231782319] + ]; +} diff --git a/Proof of Leadership/anemoi/script_setup_prover.sh b/Proof of Leadership/anemoi/script_setup_prover.sh new file mode 100644 index 0000000..77b84c6 --- /dev/null +++ b/Proof of Leadership/anemoi/script_setup_prover.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +set -e + +TAU=../../../keys/powersOfTau20_BLS_final.ptau + +circom "$1.circom" --r1cs --wasm -p bls12381 +cd "$1_js/" +node generate_witness.js "$1.wasm" ../input.json ../witness.wtns +cd .. +rm -R "$1_js/" +snarkjs groth16 setup "$1.r1cs" $TAU circuit_0000.zkey -v +snarkjs zkey contribute circuit_0000.zkey circuit_0001.zkey --name="1st Contributor Name" -e="entropy" -v +snarkjs zkey beacon circuit_0001.zkey "$1.zkey" 0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 10 -n="Final Beacon phase2" -v +snarkjs zkey export verificationkey "$1.zkey" verification_key.json -v + +rm circuit_0* + + + + +#for i in `seq 1 20`; +#do +# ../../../rapidsnark/package/bin/prover "$1.zkey" witness.wtns proof.json public.json + snarkjs groth16 prove "$1.zkey" witness.wtns proof.json public.json +#done + + + +#start=$(date +%s%6N) +#for i in `seq 1 100`; +#do +snarkjs groth16 prove "$1.zkey" witness.wtns proof.json public.json +#../../../rapidsnark/package/bin/prover "$1.zkey" witness.wtns proof.json public.json +#done + + +#end=$(date +%s%6N) + + + +rm witness.wtns + +snarkjs groth16 verify verification_key.json public.json proof.json + +#temps=$((($end-$start)/100)) +#echo "Temps de la preuve: $temps micro secondes " + +rm "$1.zkey" diff --git a/Proof of Leadership/leadership_anemoi.circom b/Proof of Leadership/leadership_anemoi.circom new file mode 100644 index 0000000..fbb3eba --- /dev/null +++ b/Proof of Leadership/leadership_anemoi.circom @@ -0,0 +1,301 @@ +//test +pragma circom 2.1.9; + +include "anemoi/anemoi_2_to_1_Jubjub.circom"; +include "anemoi/anemoi_4_to_1_Jubjub.circom"; +include "anemoi/anemoi_16_to_1_Jubjub.circom"; +include "../../circomlib-master/circuits/bitify.circom"; + +template BLSLessThan(n) { + assert(n <= 253); + signal input in[2]; + signal output out; + + component n2b = Num2Bits(n+1); + + n2b.in <== in[0]+ (1< n2b.in; + + for (var i=0; i<255; i++) { + n2b.out[i] ==> out[i]; + if(i != 0){ + n2b.out[i] ==> check_range.in[i-1]; + } + } + + check_range.out * (n2b.out[0]) === 0; //must be zero exept if the first bit is 0 => then in is on 254 bits and p-1 on 255 +} + +template BLSBits2Num_strict() { + signal input in[255]; + signal output out; + + component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528); + component b2n = Bits2Num(255); + + for (var i=0; i<255; i++) { + in[i] ==> b2n.in[i]; + if(i != 0){ + in[i] ==> check_range.in[i-1]; + } + } + + check_range.out * in[0] === 0; + + b2n.out ==> out; +} + +template check_bits(n){ + signal input bits[n]; + for(var i=0; i n2b.in; + + for (var i=0; i<255; i++) { + n2b.out[i] ==> out[i]; + if(i != 0){ + n2b.out[i] ==> check_range.in[i-1]; + } + } + + check_range.out * (n2b.out[0]) === 0; //must be zero exept if the first bit is 0 => then in is on 254 bits and p-1 on 255 +} + +template BLSBits2Num_strict() { + signal input in[255]; + signal output out; + + component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528); + component b2n = Bits2Num(255); + + for (var i=0; i<255; i++) { + in[i] ==> b2n.in[i]; + if(i != 0){ + in[i] ==> check_range.in[i-1]; + } + } + + check_range.out * in[0] === 0; + + b2n.out ==> out; +} + +template check_bits(n){ + signal input bits[n]; + for(var i=0; i n2b.in; + + for (var i=0; i<255; i++) { + n2b.out[i] ==> out[i]; + if(i != 0){ + n2b.out[i] ==> check_range.in[i-1]; + } + } + + check_range.out * (n2b.out[0]) === 0; //must be zero exept if the first bit is 0 => then in is on 254 bits and p-1 on 255 +} + +template BLSBits2Num_strict() { + signal input in[255]; + signal output out; + //ensure that in is not greater than p + component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528); + component b2n = Bits2Num(255); + + for (var i=0; i<255; i++) { + in[i] ==> b2n.in[i]; + if(i != 0){ + in[i] ==> check_range.in[i-1]; + } + } + + check_range.out * in[0] === 0; + + b2n.out ==> out; +} + +template check_bits(n){ + signal input bits[n]; + for(var i=0; i n2b.in; + + for (var i=0; i<255; i++) { + n2b.out[i] ==> out[i]; + if(i != 0){ + n2b.out[i] ==> check_range.in[i-1]; + } + } + + check_range.out * (n2b.out[0]) === 0; //must be zero exept if the first bit is 0 => then in is on 254 bits and p-1 on 255 +} + +template BLSBits2Num_strict() { + signal input in[255]; + signal output out; + //ensure that in is not greater than p + component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528); + component b2n = Bits2Num(255); + + for (var i=0; i<255; i++) { + in[i] ==> b2n.in[i]; + if(i != 0){ + in[i] ==> check_range.in[i-1]; + } + } + + check_range.out * in[0] === 0; + + b2n.out ==> out; +} + +template check_bits(n){ + signal input bits[n]; + for(var i=0; i Date: Thu, 18 Jul 2024 09:23:02 +0200 Subject: [PATCH 3/9] Minor fix on poseidon function bug --- Proof of Leadership/poseidon/poseidon_16_to_1_Jubjub.circom | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Proof of Leadership/poseidon/poseidon_16_to_1_Jubjub.circom b/Proof of Leadership/poseidon/poseidon_16_to_1_Jubjub.circom index 6a068c6..02a7912 100644 --- a/Proof of Leadership/poseidon/poseidon_16_to_1_Jubjub.circom +++ b/Proof of Leadership/poseidon/poseidon_16_to_1_Jubjub.circom @@ -361,7 +361,7 @@ template partial_round_16_to_1(round_number) { for(var i=1; i<16; i++){ matrix.in[i] <== in[i]; } - for(var i=1; i<16; i++){ + for(var i=0; i<16; i++){ out[i] <== matrix.out[i]; } } From 068fec7b096bc6132241ee5dbf086518da31fbca Mon Sep 17 00:00:00 2001 From: thomaslavaur Date: Thu, 18 Jul 2024 10:57:45 +0200 Subject: [PATCH 4/9] Add a python script to generate winning note input file for Anemoi/Poseidon Merkle and any VRF --- Proof of Leadership/generate_inputs.py | 1348 ++++++++++++++++++++++++ 1 file changed, 1348 insertions(+) create mode 100755 Proof of Leadership/generate_inputs.py diff --git a/Proof of Leadership/generate_inputs.py b/Proof of Leadership/generate_inputs.py new file mode 100755 index 0000000..0cfb01c --- /dev/null +++ b/Proof of Leadership/generate_inputs.py @@ -0,0 +1,1348 @@ +#!/usr/bin/sage +# -*- mode: python ; -*- + + +from sage.all import * +import hashlib +import itertools +from hashlib import sha256 + +p = 52435875175126190479447740508185965837690552500527637822603658699938581184513 +F = FiniteField(p) + + + + + +# anemoi is from their repo +COST_ALPHA = { + 3 : 2, 5 : 3, 7 : 4, 9 : 4, + 11 : 5, 13 : 5, 15 : 5, 17 : 5, + 19 : 6, 21 : 6, 23 : 6, 25 : 6, + 27 : 6, 29 : 7, 31 : 7, 33 : 6, + 35 : 7, 37 : 7, 39 : 7, 41 : 7, + 43 : 7, 45 : 7, 47 : 8, 49 : 7, + 51 : 7, 53 : 8, 55 : 8, 57 : 8, + 59 : 8, 61 : 8, 63 : 8, 65 : 7, + 67 : 8, 69 : 8, 71 : 9, 73 : 8, + 75 : 8, 77 : 8, 79 : 9, 81 : 8, + 83 : 8, 85 : 8, 87 : 9, 89 : 9, + 91 : 9, 93 : 9, 95 : 9, 97 : 8, + 99 : 8, 101 : 9, 103 : 9, 105 : 9, + 107 : 9, 109 : 9, 111 : 9, 113 : 9, + 115 : 9, 117 : 9, 119 : 9, 121 : 9, + 123 : 9, 125 : 9, 127 : 10, +} + +ALPHA_BY_COST = { + c : [x for x in range(3, 128, 2) if COST_ALPHA[x] == c] + for c in range(2, 11) +} + +PI_0 = 1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679 +PI_1 = 8214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196 + +def get_prime(N): + result = (1 << N) - 1 + while not is_prime(result): + result -= 2 + return result + + +def get_n_rounds(s, l, alpha): + r = 0 + complexity = 0 + kappa = {3:1, 5:2, 7:4, 9:7, 11:9} + assert alpha in kappa + while complexity < 2**s: + r += 1 + complexity = binomial( + 4*l*r + kappa[alpha], + 2*l*r + )**2 + r += 2 # considering the second model + r += min(5,l+1) # security margin + + return max(8, r) + + +# Linear layer generation + +def is_mds(m): + # Uses the Laplace expansion of the determinant to calculate the (m+1)x(m+1) minors in terms of the mxm minors. + # Taken from https://github.com/mir-protocol/hash-constants/blob/master/mds_search.sage. + + # 1-minors are just the elements themselves + if any(any(r == 0 for r in row) for row in m): + return False + + N = m.nrows() + assert m.is_square() and N >= 2 + + det_cache = m + + # Calculate all the nxn minors of m: + for n in range(2, N+1): + new_det_cache = dict() + for rows in itertools.combinations(range(N), n): + for cols in itertools.combinations(range(N), n): + i, *rs = rows + + # Laplace expansion along row i + det = 0 + for j in range(n): + # pick out c = column j; the remaining columns are in cs + c = cols[j] + cs = cols[:j] + cols[j+1:] + + # Look up the determinant from the previous iteration + # and multiply by -1 if j is odd + cofactor = det_cache[(*rs, *cs)] + if j % 2 == 1: + cofactor = -cofactor + + # update the determinant with the j-th term + det += m[i, c] * cofactor + + if det == 0: + return False + new_det_cache[(*rows, *cols)] = det + det_cache = new_det_cache + return True + +def M_2(x_input, b): + x = x_input[:] + x[0] += b*x[1] + x[1] += b*x[0] + return x + +def M_3(x_input, b): + x = x_input[:] + t = x[0] + b*x[2] + x[2] += x[1] + x[2] += b*x[0] + x[0] = t + x[2] + x[1] += t + return x + + +def M_4(x_input, b): + x = x_input[:] + x[0] += x[1] + x[2] += x[3] + x[3] += b*x[0] + x[1] = b*(x[1] + x[2]) + x[0] += x[1] + x[2] += b*x[3] + x[1] += x[2] + x[3] += x[0] + return x + +def lfsr(x_input, b): + x = x_input[:] + l = len(x) + for r in range(0, l): + t = sum(b**(2**i) * x[i] for i in range(0, l)) + x = x[1:] + [t] + return x + +def circulant_mds_matrix(field, l, coeff_upper_limit=None): + if coeff_upper_limit == None: + coeff_upper_limit = l+1 + assert(coeff_upper_limit > l) + for v in itertools.combinations_with_replacement(range(1,coeff_upper_limit), l): + mat = matrix.circulant(list(v)).change_ring(field) + if is_mds(mat): + return(mat) + # In some cases, the method won't return any valid matrix, + # hence the need to increase the limit further. + return circulant_mds_matrix(field, l, coeff_upper_limit+1) + +def get_mds(field, l): + if l == 1: + return identity_matrix(field, 1) + if l <= 4: # low addition case + a = field.multiplicative_generator() + b = field.one() + t = 0 + while True: + # we construct the matrix + mat = [] + b = b*a + t += 1 + for i in range(0, l): + x_i = [field.one() * (j == i) for j in range(0, l)] + if l == 2: + mat.append(M_2(x_i, b)) + elif l == 3: + mat.append(M_3(x_i, b)) + elif l == 4: + mat.append(M_4(x_i, b)) + mat = Matrix(field, l, l, mat).transpose() + if is_mds(mat): + return mat + else: # circulant matrix case + return circulant_mds_matrix(field, l) + +# AnemoiPermutation class + +class AnemoiPermutation: + def __init__(self, + q=None, + alpha=None, + mat=None, + n_rounds=None, + n_cols=1, + security_level=128): + if q == None: + raise Exception("The characteristic of the field must be specified!") + self.q = q + self.prime_field = is_prime(q) # if true then we work over a + # prime field with + # characteristic just under + # 2**N, otherwise the + # characteristic is 2**self + self.n_cols = n_cols # the number of parallel S-boxes in each round + self.security_level = security_level + + # initializing the other variables in the state: + # - q is the characteristic of the field + # - g is a generator of the multiplicative subgroup + # - alpha is the main exponent (in the center of the Flystel) + # - beta is the coefficient in the quadratic subfunction + # - gamma is the constant in the second quadratic subfunction + # - QUAD is the secondary (quadratic) exponent + # - from_field is a function mapping field elements to integers + # - to_field is a function mapping integers to field elements + self.F = GF(self.q) + if self.prime_field: + if alpha != None: + if gcd(alpha, self.q-1) != 1: + raise Exception("alpha should be co-prime with the characteristic!") + else: + self.alpha = alpha + else: + self.alpha = 3 + while gcd(self.alpha, self.q-1) != 1: + self.alpha += 1 + self.QUAD = 2 + self.to_field = lambda x : self.F(x) + self.from_field = lambda x : Integer(x) + else: + self.alpha = 3 + self.QUAD = 3 + self.to_field = lambda x : self.F.fetch_int(x) + self.from_field = lambda x : x.integer_representation() + self.g = self.F.multiplicative_generator() + self.beta = self.g + self.delta = self.g**(-1) + self.alpha_inv = inverse_mod(self.alpha, self.q-1) + + # total number of rounds + if n_rounds != None: + self.n_rounds = n_rounds + else: + self.n_rounds = get_n_rounds(self.security_level, + self.n_cols, + self.alpha) + + # Choosing constants: self.C and self.D are built from the + # digits of pi using an open butterfly + self.C = [] + self.D = [] + pi_F_0 = self.to_field(PI_0 % self.q) + pi_F_1 = self.to_field(PI_1 % self.q) + for r in range(0, self.n_rounds): + pi_0_r = pi_F_0**r + self.C.append([]) + self.D.append([]) + for i in range(0, self.n_cols): + pi_1_i = pi_F_1**i + pow_alpha = (pi_0_r + pi_1_i)**self.alpha + self.C[r].append(self.g * (pi_0_r)**2 + pow_alpha) + self.D[r].append(self.g * (pi_1_i)**2 + pow_alpha + self.delta) + self.mat = get_mds(self.F, self.n_cols) + + + def __str__(self): + result = "Anemoi instance over F_{:d} ({}), n_rounds={:d}, n_cols={:d}, s={:d}".format( + self.q, + "odd prime field" if self.prime_field else "characteristic 2", + self.n_rounds, + self.n_cols, + self.security_level + ) + result += "\nalpha={}, beta={}, \ndelta={}\nM_x=\n{}\ninv_alpha={}\n".format( + self.alpha, + self.beta, + self.delta, + self.mat, + self.alpha_inv + ) + result += "C={}\nD={}".format( + [[self.from_field(x) for x in self.C[r]] for r in range(0, self.n_rounds)], + [[self.from_field(x) for x in self.D[r]] for r in range(0, self.n_rounds)], + ) + return result + + + # !SECTION! Sub-components + + def evaluate_sbox(self, _x, _y): + x, y = _x, _y + x -= self.beta*y**self.QUAD + y -= x**self.alpha_inv + x += self.beta*y**self.QUAD + self.delta + return x, y + + def linear_layer(self, _x, _y): + x, y = _x[:], _y[:] + x = self.mat*vector(x) + y = self.mat*vector(y[1:] + [y[0]]) + + # Pseudo-Hadamard transform on each (x,y) pair + y += x + x += y + return list(x), list(y) + + + # !SECTION! Evaluation + + def eval_with_intermediate_values(self, _x, _y): + x, y = _x[:], _y[:] + result = [[x[:], y[:]]] + for r in range(0, self.n_rounds): + for i in range(0, self.n_cols): + x[i] += self.C[r][i] + y[i] += self.D[r][i] + x, y = self.linear_layer(x, y) + for i in range(0, self.n_cols): + x[i], y[i] = self.evaluate_sbox(x[i], y[i]) + result.append([x[:], y[:]]) + # final call to the linear layer + x, y = self.linear_layer(x, y) + result.append([x[:], y[:]]) + return result + + + def input_size(self): + return 2*self.n_cols + + + def __call__(self, _x): + if len(_x) != self.input_size(): + raise Exception("wrong input size!") + else: + x, y = _x[:self.n_cols], _x[self.n_cols:] + u, v = self.eval_with_intermediate_values(x, y)[-1] + return u + v # concatenation, not a sum + + + # !SECTION! Writing full system of equations + + def get_polynomial_variables(self): + x_vars = [] + y_vars = [] + all_vars = [] + for r in range(0, self.n_rounds+1): + x_vars.append(["X{:02d}{:02d}".format(r, i) for i in range(0, self.n_cols)]) + y_vars.append(["Y{:02d}{:02d}".format(r, i) for i in range(0, self.n_cols)]) + all_vars += x_vars[-1] + all_vars += y_vars[-1] + pol_ring = PolynomialRing(self.F, (self.n_rounds+1)*2*self.n_cols, all_vars) + pol_gens = pol_ring.gens() + result = {"X" : [], "Y" : []} + for r in range(0, self.n_rounds+1): + result["X"].append([]) + result["Y"].append([]) + for i in range(0, self.n_cols): + result["X"][r].append(pol_gens[self.n_cols*2*r + i]) + result["Y"][r].append(pol_gens[self.n_cols*2*r + i + self.n_cols]) + return result + + + def verification_polynomials(self, pol_vars): + equations = [] + for r in range(0, self.n_rounds): + # the outputs of the open flystel are the state variables x, y at round r+1 + u = pol_vars["X"][r+1] + v = pol_vars["Y"][r+1] + # the inputs of the open flystel are the state variables + # x, y at round r after undergoing the constant addition + # and the linear layer + x, y = pol_vars["X"][r], pol_vars["Y"][r] + x = [x[i] + self.C[r][i] for i in range(0, self.n_cols)] + y = [y[i] + self.D[r][i] for i in range(0, self.n_cols)] + x, y = self.linear_layer(x, y) + for i in range(0, self.n_cols): + equations.append( + (y[i]-v[i])**self.alpha + self.beta*y[i]**self.QUAD - x[i] + ) + equations.append( + (y[i]-v[i])**self.alpha + self.beta*v[i]**self.QUAD + self.delta - u[i] + ) + return equations + + + def print_verification_polynomials(self): + p_vars = self.get_polynomial_variables() + eqs = self.verification_polynomials(p_vars) + variables_string = "" + for r in range(0, self.n_rounds+1): + variables_string += str(p_vars["X"][r])[1:-1] + "," + str(p_vars["Y"][r])[1:-1] + "," + print(variables_string[:-1].replace(" ", "")) + print(self.q) + for f in eqs: + print(f) + + + +# !SECTION! Modes of operation + + +def jive(P, b, _x): + if b < 2: + raise Exception("b must be at least equal to 2") + if P.input_size() % b != 0: + raise Exception("b must divide the input size!") + c = P.input_size()/b # length of the compressed output + # Output size check: we allow the output size to be 3 bits shorter than + # the theoretical target, as commonly used finite fields usually have a + # characteristic size slightly under 2**256. + if c * P.F.cardinality().nbits() < 2 * P.security_level - 3: + raise Exception(f"digest size is too small for the targeted security level!") + x = _x[:] + u = P(x) + compressed = [] + for i in range(0, int(c)): + compressed.append(sum(x[int(i+c*j)] + u[int(i+c*j)] + for j in range(0, int(b)))) + return compressed + +A_2 = AnemoiPermutation(q=p, alpha=5, n_rounds=None, n_cols=1, security_level=128) +A_4 = AnemoiPermutation(q=p, alpha=5, n_rounds=None, n_cols=2, security_level=128) +A_16 = AnemoiPermutation(q=p, alpha=5, n_rounds=None, n_cols=8, security_level=128) + +def anemoi(state): + if len(state) == 2: + return jive(A_2,2,state)[0] + if len(state) == 4: + return jive(A_4,4,state)[0] + if len(state) == 16: + return jive(A_16,16,state)[0] + +def poseidon(state): + if len(state) == 2: + original_state = state + cst = poseidon_round_constant_2_to_1() + state = poseidon_linear_layer_2_to_1(state) + for i in range(4): + for j in range(2): + state[j] += cst[2*i+j] + state[j] = state[j]**5 + state = poseidon_linear_layer_2_to_1(state) + for i in range(56): + state[0] += cst[i + 8] + state[0] = state[0]**5 + state = poseidon_linear_layer_2_to_1(state) + for i in range(4): + for j in range(2): + state[j] += cst[64 + i*2 + j] + state[j] = state[j]**5 + state = poseidon_linear_layer_2_to_1(state) + return state[0] + state[1] + original_state[0] + original_state[1] + if len(state) == 4: + original_state = state + cst = poseidon_round_constant_4_to_1() + state = poseidon_external_linear_layer_4_to_1(state) + for i in range(4): + for j in range(4): + state[j] += cst[4*i+j] + state[j] = state[j]**5 + state = poseidon_external_linear_layer_4_to_1(state) + for i in range(56): + state[0] += cst[i + 16] + state[0] = state[0]**5 + state = poseidon_internal_linear_layer_4_to_1(state) + for i in range(4): + for j in range(4): + state[j] += cst[72 + i*4 + j] + state[j] = state[j]**5 + state = poseidon_external_linear_layer_4_to_1(state) + h = F(0) + for i in range(4): + h += state[i] + original_state[i] + return h + if len(state) == 16: + original_state = state + cst = poseidon_round_constant_16_to_1() + state = poseidon_external_linear_layer_16_to_1(state) + for i in range(4): + for j in range(16): + state[j] += cst[16*i+j] + state[j] = state[j]**5 + state = poseidon_external_linear_layer_16_to_1(state) + for i in range(57): + state[0] += cst[i + 64] + state[0] = state[0]**5 + state = poseidon_internal_linear_layer_16_to_1(state) + for i in range(4): + for j in range(16): + state[j] += cst[121 + i*16 + j] + state[j] = state[j]**5 + state = poseidon_external_linear_layer_16_to_1(state) + h = F(0) + for i in range(16): + h += state[i] + original_state[i] + return h + +def poseidon_linear_layer_2_to_1(state): + M = Matrix(F,[[2,1],[1,2]]) + return [2*state[0]+state[1],state[0]+2*state[1]] + +def poseidon_external_linear_layer_4_to_1(state): + M_4 = [[5,7,1,3],[4,6,1,1],[1,3,5,7],[1,1,4,6]] + new_state = [0 for i in range(4)] + for i in range(4): + for j in range(4): + new_state[i] += M_4[i][j] * state[j] + return new_state + +def poseidon_external_linear_layer_16_to_1(state): + M_E = [[10,14,2,6,5,7,1,3,5,7,1,3,5,7,1,3], + [ 8,12,2,2,4,6,1,1,4,6,1,1,4,6,1,1], + [ 2,6,10,14,1,3,5,7,1,3,5,7,1,3,5,7], + [ 2,2,8,12,1,1,4,6,1,1,4,6,1,1,4,6], + [ 5,7,1,3,10,14,2,6,5,7,1,3,5,7,1,3], + [ 4,6,1,1,8,12,2,2,4,6,1,1,4,6,1,1], + [ 1,3,5,7,2,6,10,14,1,3,5,7,1,3,5,7], + [ 1,1,4,6,2,2,8,12,1,1,4,6,1,1,4,6], + [ 5,7,1,3,5,7,1,3,10,14,2,6,5,7,1,3], + [ 4,6,1,1,4,6,1,1,8,12,2,2,4,6,1,1], + [ 1,3,5,7,1,3,5,7,2,6,10,14,1,3,5,7], + [ 1,1,4,6,1,1,4,6,2,2,8,12,1,1,4,6], + [ 5,7,1,3,5,7,1,3,5,7,1,3,10,14,2,6], + [ 4,6,1,1,4,6,1,1,4,6,1,1,8,12,2,2], + [ 1,3,5,7,1,3,5,7,1,3,5,7,2,6,10,14], + [ 1,1,4,6,1,1,4,6,1,1,4,6,2,2,8,12]] + new_state = [0 for i in range(16)] + for i in range(16): + for j in range(16): + new_state[i] += M_E[i][j] * state[j] + return new_state + +def poseidon_internal_linear_layer_4_to_1(state): + M_I = [[2,1,1,1],[1,2,1,1],[1,1,4,1],[1,1,1,8]] + new_state = [0 for i in range(4)] + for i in range(4): + for j in range(4): + new_state[i] += M_I[i][j] * state[j] + return new_state + +def poseidon_internal_linear_layer_16_to_1(state): + M_I = [[68,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1], + [1,85,1,1,1,1,1,1,1,1,1,1,1,1,1,1], + [1,1,81,1,1,1,1,1,1,1,1,1,1,1,1,1], + [1,1,1,95,1,1,1,1,1,1,1,1,1,1,1,1], + [1,1,1,1,58,1,1,1,1,1,1,1,1,1,1,1], + [1,1,1,1,1,90,1,1,1,1,1,1,1,1,1,1], + [1,1,1,1,1,1,93,1,1,1,1,1,1,1,1,1], + [1,1,1,1,1,1,1,40,1,1,1,1,1,1,1,1], + [1,1,1,1,1,1,1,1,35,1,1,1,1,1,1,1], + [1,1,1,1,1,1,1,1,1,25,1,1,1,1,1,1], + [1,1,1,1,1,1,1,1,1,1,2,1,1,1,1,1], + [1,1,1,1,1,1,1,1,1,1,1,96,1,1,1,1], + [1,1,1,1,1,1,1,1,1,1,1,1,22,1,1,1], + [1,1,1,1,1,1,1,1,1,1,1,1,1,74,1,1], + [1,1,1,1,1,1,1,1,1,1,1,1,1,1,69,1], + [1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,53]] + new_state = [0 for i in range(16)] + for i in range(16): + for j in range(16): + new_state[i] += M_I[i][j] * state[j] + return new_state + + + +def anemoi_C_2_to_1(): + return [ + 39, + 41362478282768062297187132445775312675360473883834860695283235286481594490621, + 9548818195234740988996233204400874453525674173109474205108603996010297049928, + 25365440569177822667580105183435418073995888230868180942004497015015045856900, + 34023498397393406644117994167986720327178154686105264833093891093045919619309, + 38816051319719761886041858113129205506758421478656182868737326994635468402951, + 35167418087531820804128377095512663922179887277669504047069913414630376083753, + 25885868839756469722325652387535232478219821850603640827385444642154834700231, + 8867588811641202981080659274007552529205713737251862066053445622305818871963, + 36439756010140137556111047750162544185710881404522379792044818039722752946048, + 7788624504122357216765350546787885309160020166693449889975992574536033007374, + 3134147137704626983201116226440762775442116005053282329971088789984415999550, + 50252287380741824818995733304361249016282047978221591906573165442023106203143, + 48434698978712278012409706205559577163572452744833134361195687109159129985373, + 32960510617530186159512413633821386297955642598241661044178889571655571939473, + 12850897859166761094422335671106280470381427571695744605265713866647560628356, + 14578036872634298798382048587794204613583128573535557156943783762854124345644, + 21588109842058901916690548710649523388049643745013696896704903154857389904594, + 35731638686520516424752846654442973203189295883541072759390882351699754104989, + 34141830003233180772153845227433233456603143306530920011579259084215824391544, + 30272543670850635882116596228256005460817517173808721139136515002908946750291 + ] + +def anemoi_D_2_to_1(): + return [ + 14981678621464625851270783002338847382197300714436467949315331057125308909900, + 28253420209785428420233456008091632509255652343634529984400816700490470131093, + 51511939407083344002778208487678590135577660247075600880835916725469990319313, + 46291121544435738125248657675097664742296276807186696922340332893747842754587, + 3650460179273129580093806058710273018999560093475503119057680216309578390988, + 45802223370746268123059159806400152299867771061127345631244786118574025749328, + 11798621276624967315721748990709309216351696098813162382053396097866233042733, + 42372918959432199162670834641599336326433006968669415662488070504036922966492, + 52181371244193189669553521955614617990714056725501643636576377752669773323445, + 23791984554824031672195249524658580601428376029501889159059009332107176394097, + 33342520831620303764059548442834699069640109058400548818586964467754352720368, + 16791548253207744974576845515705461794133799104808996134617754018912057476556, + 11087343419860825311828133337767238110556416596687749174422888171911517001265, + 11931207770538477937808955037363240956790374856666237106403111503668796872571, + 3296943608590459582451043049934874894049468383833500962645016062634514172805, + 7080580976521357573320018355401935489220216583936865937104131954142364033647, + 25990144965911478244481527888046366474489820502460615136523859419965697796405, + 33907313384235729375566529911940467295099705980234607934575786561097199483218, + 25996950265608465541351207283024962044374873682152889814392533334239395044136, + 17878892320641464292190655092475335317049416605865175118054314040434534086821, + 25443622609028754422863910981890932539396181992608938932620284900889552530362 + ] + +def anemoi_C_4_to_1(): + return [ + [39, + 17756515227822460609684409997111995494590448775258437999344446424780281143353], + [41362478282768062297187132445775312675360473883834860695283235286481594490621, + 3384073892082712848969991795331397937188893616190315628722966662742467187281], + [9548818195234740988996233204400874453525674173109474205108603996010297049928, + 51311880822158488881090781617710146800056386303122657365679608608648067582435], + [25365440569177822667580105183435418073995888230868180942004497015015045856900, + 29347609441914902330741511702270026847909178228078752565372729158237774700914], + [34023498397393406644117994167986720327178154686105264833093891093045919619309, + 2339620320400167830454536231899316133967303509954474267430948538955691907104], + [38816051319719761886041858113129205506758421478656182868737326994635468402951, + 27338042530319738113354246208426108832239651080023276643867223794985578055610], + [35167418087531820804128377095512663922179887277669504047069913414630376083753, + 42192983528513372869128514327443204912824559545179630597589572656156258515752], + [25885868839756469722325652387535232478219821850603640827385444642154834700231, + 42721818980548514490325424436763032046927347769153393863616095871384405840432], + [8867588811641202981080659274007552529205713737251862066053445622305818871963, + 23473499332437056484066006746048591864129988909190267521144125882222313735740], + [36439756010140137556111047750162544185710881404522379792044818039722752946048, + 16497366583607480604161417644040292299204496829635795525393416854929276060989], + [7788624504122357216765350546787885309160020166693449889975992574536033007374, + 16727395967350522643500778393489915391834352737211416857240725807058479128000], + [3134147137704626983201116226440762775442116005053282329971088789984415999550, + 46525506418681456193255596516104416743523037046982280449529426136392814992763], + [50252287380741824818995733304361249016282047978221591906573165442023106203143, + 46030886964045328670650579467522042981756109464584907077434772786649263902996], + [48434698978712278012409706205559577163572452744833134361195687109159129985373, + 19216533213230709497947223526297848065365334472367022650183395435586190711770] + ] + +def anemoi_D_4_to_1(): + return [ + [14981678621464625851270783002338847382197300714436467949315331057125308909900, + 48720959343719104324739338388885839802998711550637402773896395605948383052052], + [28253420209785428420233456008091632509255652343634529984400816700490470131093, + 6257781313532096835800460747082714697295034136932481743077166200794135826591], + [51511939407083344002778208487678590135577660247075600880835916725469990319313, + 4386017178186728799761421274050927732938229436976005221436222062273391481632], + [46291121544435738125248657675097664742296276807186696922340332893747842754587, + 13820180736478645172746469075181304604729976364812127548341524461074783412926], + [3650460179273129580093806058710273018999560093475503119057680216309578390988, + 40385222771838099109662234020243831589690223478794847201235014486200724862134], + [45802223370746268123059159806400152299867771061127345631244786118574025749328, + 50306980075778262214155693291132052551559962723436936231611301042966928400825], + [11798621276624967315721748990709309216351696098813162382053396097866233042733, + 34806952212038537244506031612074847133207330427265785757809673463434908473570], + [42372918959432199162670834641599336326433006968669415662488070504036922966492, + 22755759419530071315007011572076166983660942447634027701351681157370705921018], + [52181371244193189669553521955614617990714056725501643636576377752669773323445, + 30334172084294870556875274308904688414158741457854908094300017436690480001547], + [23791984554824031672195249524658580601428376029501889159059009332107176394097, + 19832360622723392584029764807971325641132953515557801717644226271356492507876], + [33342520831620303764059548442834699069640109058400548818586964467754352720368, + 5828182614154296575131381170785760240834851189333374788484657124381010655319], + [16791548253207744974576845515705461794133799104808996134617754018912057476556, + 23729797853490401568967730686618146850735129707152853256809050789424668284094], + [11087343419860825311828133337767238110556416596687749174422888171911517001265, + 22848708497596347027267124890363029002241440143993561170521113640580467699956], + [11931207770538477937808955037363240956790374856666237106403111503668796872571, + 51131682674615117766578358255722474622484771145670260043231096654077231782319] + ] + +def anemoi_C_16_to_1(): + return [ + [39, + 17756515227822460609684409997111995494590448775258437999344446424780281143353, + 10188916128123599964772546147951904500865009616764646948187915341627970346879, + 3814237141406755457246679946340702245820791055503616462386588886553626328449, + 31231358838611540266091127386940316382485316827738464579249222989762089961618, + 3726010289701932654130304682574596267996890432970838266711107863585526844332, + 36992578177313978374320714629037014712724552282717071185860782184820525992055, + 6539662723010541897260760345121608837413747021964775102659796495628351576700], + [41362478282768062297187132445775312675360473883834860695283235286481594490621, + 3384073892082712848969991795331397937188893616190315628722966662742467187281, + 38536464596998108028197905645250196649287447208374169339784649587982292038621, + 37592197675289757358471908199906415982484124338112374453435292524131427342810, + 23880328728725835218995126249367316438768592574548525705412373412647097582882, + 48825064577758348008118486787590853038041005302054740877940928369291358302191, + 50534173420081783859714292066423124353911378857266355124747257390448683204724, + 7428946804745276726594228607058422733621008211707460976374155647815125702793], + [9548818195234740988996233204400874453525674173109474205108603996010297049928, + 51311880822158488881090781617710146800056386303122657365679608608648067582435, + 24596965950552905296088269899880882549715354660832391374009234980535928382152, + 34036826250287807194659359129722586818079652442547178531030410684351456041117, + 47245638746867242507412562212796342461134942817161752237394648503282879275118, + 31300595906266724771648800100316060631685700019604649908550024867487861705279, + 3785144237087232802472944225009874259820952161256157218342463192641540401693, + 13192072039732854032991114991329331830093509159172499125522354840599160152710], + [25365440569177822667580105183435418073995888230868180942004497015015045856900, + 29347609441914902330741511702270026847909178228078752565372729158237774700914, + 14356478667385969079309349540394948109414829921001045845599553435706989367858, + 9488013611624811735432450930006811652991761655550510302915118428283918068143, + 46788925259457988525082226160565541608877312582477767975013905645120335169226, + 39167900530643229840202791109535532972977251341471019870612379478843295475401, + 35468869056801697991539514623685427699753784556397696975236370718172619478088, + 10386758415207822166675671630819234802877311049149240741713298889822859300210], + [34023498397393406644117994167986720327178154686105264833093891093045919619309, + 2339620320400167830454536231899316133967303509954474267430948538955691907104, + 12136748919666286297989154404429099226154686992028401568133058190732008277996, + 19442569822772655270268482835742480365499256802520510905846953360427433130058, + 6121842489566508888444793919988648467487285035515564826894797322329857604679, + 52423305139993282549959548255411402052505266722715464547641713196825757370045, + 721115880708783722056278375691123676170968994983418732948150001331611213553, + 28368777671879812853105774722579268517023359292257929653599900440020077784493], + [38816051319719761886041858113129205506758421478656182868737326994635468402951, + 27338042530319738113354246208426108832239651080023276643867223794985578055610, + 15580674179713644540398409523441814073810768449493940562136422009899312699155, + 4362660876979205605782410963041525734654031488177761934879852229226211686053, + 11650586156654079013116836535888803264128748996614961532114710040258230535152, + 19531964257180260867876509318520389540889883401661971174170106848135773712126, + 28219700779483915272028450015085470411949576744039967576016029120273878374251, + 33474277480452546775130924043517012470949538154685955521260479155699441559340], + [35167418087531820804128377095512663922179887277669504047069913414630376083753, + 42192983528513372869128514327443204912824559545179630597589572656156258515752, + 47389212411441573266379092392931599970417884729397156841216318364858334633325, + 41487656259632727393098274178738763934249662924287956242704596746920012242443, + 47585046162349898019384381324380934361400616741262019467964248889992556789636, + 22864477306086472394102077909444955034170624450796904926669386049666664492257, + 13351050514115985199153581050320477287713057625178307041078042677800880924875, + 37405300160039662564807777381564989963058089105400420537288945543199341594301], + [25885868839756469722325652387535232478219821850603640827385444642154834700231, + 42721818980548514490325424436763032046927347769153393863616095871384405840432, + 5855288403637341107158034195599277569854359593529752399086836976954392351035, + 18845851722124019325834426094831743068408557621685658713002749358354699910772, + 33256528590007803378062158842587476459976080810702643409997408348306082386089, + 2234591446681396008493892860306849390171100567645872660203494363121541667798, + 194686086885408743916631695867994306362987352657004869135407425114760399927, + 28761022534147935351682915336446217569572759443228321225221961720692449395484], + [8867588811641202981080659274007552529205713737251862066053445622305818871963, + 23473499332437056484066006746048591864129988909190267521144125882222313735740, + 5696063807157149622355481994320806474692190935543821893362808351446578125354, + 48558031599255072862103809681060565464555437399403822458902024251997890071747, + 29805490370918962312941798594103721605222271424104745148638516522088829641991, + 37489036434356676843050473824100415300808075220521554146913930229334867812254, + 11631357050894820069054650807562155039191303868752185889040197345022629525927, + 24660767228992591228910666543569781024799661249145320635218341313794706416082], + [36439756010140137556111047750162544185710881404522379792044818039722752946048, + 16497366583607480604161417644040292299204496829635795525393416854929276060989, + 31479323495970113713816467604460499675889579912370034974841212556442942086146, + 52327065242455117582590188333899352706031813782154293138553490341266149456684, + 22462223600300108924276123720518708580622354327562062947406284488847554180931, + 40996278729170725855966064159584167091102415184996744640950022676164065046834, + 19430817579416357934148820670939901668848861606295052060308554899051486801548, + 12483379002100433076591219143638049458199676871775181258981956241115974881163] + ] + +def anemoi_D_16_to_1(): + return [ + [14981678621464625851270783002338847382197300714436467949315331057125308909900, + 48720959343719104324739338388885839802998711550637402773896395605948383052052, + 11709610427641952476226704950218052763560489079301307464225164120801969364960, + 3188799073106888901912065951229864304299742047220134499402570163601813730969, + 35055566170683830204685883433867693478135114051401583710007741398997412970579, + 41969389849183863090802087476567191363990360356945841340095187311995419576515, + 7556226394164164334481570938023506204252451033715203682883249970224239802922, + 17176882240248932567902590122153974429675966351354956648777145117980813990398], + [28253420209785428420233456008091632509255652343634529984400816700490470131093, + 6257781313532096835800460747082714697295034136932481743077166200794135826591, + 11966422202069200811427605007493817363680804416274031195624148724039857787313, + 8876022912542631074912834764773050492660953075192093830253524158063181475941, + 52049674541477055908813163364458131823806820044102483998576800878704568506967, + 6541832267666828237118069633374954748041800470865307468523599474646236580472, + 45442960117610900571098429443573054134827707854155326784175634232674544930715, + 42411304802662598148459339452254226615271657786988481684897413326989736031615], + [51511939407083344002778208487678590135577660247075600880835916725469990319313, + 4386017178186728799761421274050927732938229436976005221436222062273391481632, + 663227665329044490605880474899933274574966982371072793854806732105730575244, + 7956955597245727322388196907364651338722736293265717471854714933795446618648, + 25615413494197319129070770032476622018948872899826892271961489884914005459090, + 44089542881006441891384034667061558189843302802581673885742427288293557612473, + 1330235044321395925144992814935234051203536271783948441776912650379638572084, + 50810734147355221866144137049300565722210413848092339398051685135286006925932], + [46291121544435738125248657675097664742296276807186696922340332893747842754587, + 13820180736478645172746469075181304604729976364812127548341524461074783412926, + 21821175320697611197161277831984495658213397245419754392657307036488476373765, + 14806577897118234786495606424219372997573800509149076370951604526939593458489, + 4121259770197377590627011188630352152939645167495297314189270176024564981500, + 30919407268792259403824602884665561517383256626800433152413305048922095010897, + 11976519627445173558098140421995318477384771169277877503279343325183821276781, + 26967980286239502443715270897174999681242618240421470318851152333782809701734], + [3650460179273129580093806058710273018999560093475503119057680216309578390988, + 40385222771838099109662234020243831589690223478794847201235014486200724862134, + 20738601554725926373596082603265918636164823648026470243422423735982938342408, + 25898290090014076279086638237202313571292864987698437102115051403552551578909, + 17027208157180086391192319363486696710451739452640092116905432497642111659971, + 45311967859890310071336359937788702458122841339624237957674250711373999964046, + 30801797608226447725817644589434252152704077439970597211826393252750837255264, + 46087155524659491087900373896182305256600235815109519358969365828449471244522], + [45802223370746268123059159806400152299867771061127345631244786118574025749328, + 50306980075778262214155693291132052551559962723436936231611301042966928400825, + 9105861908793877437599087016640061747418296780065295891365798855886560153752, + 48177591413367409915642056167048753041735583848456612607691620273026228709602, + 7479286918288249337458111273748279770690595088312775476065356516306801980629, + 49779837246224071690294810803445084047795402193671669060746314363358914880825, + 43223717601022172097383565523190027152080076863600432708834283672429421806147, + 36115990427252817831519272511481477474123806352110831880569955844865152409554], + [11798621276624967315721748990709309216351696098813162382053396097866233042733, + 34806952212038537244506031612074847133207330427265785757809673463434908473570, + 10559431278588446438155840088055546145087872298641007742921718770142881700525, + 2511742758961381498086249076485723904703122022711664665388729650078747694082, + 13058778062050708618301726264166109369024922071632328984390918925338427847716, + 22757381433196923491096449596295348042138602481479098385721617124187105273559, + 50435973648847072778532507268536698366596569483938905568975979489192305153887, + 9692044244906573895772196051455153467294816541497792469074445791662352057118], + [42372918959432199162670834641599336326433006968669415662488070504036922966492, + 22755759419530071315007011572076166983660942447634027701351681157370705921018, + 8881354201366797207686592249590682298565723459695719800911380560885170725516, + 19725785152035256359574211351446161592903393017031483635806025440159666669692, + 38586107420291196905731314141240110021641762437995069426543221562298184751450, + 41983342504374430034240074906024700952180454895250182619374868616288213756381, + 24699580977072888772599627764765708101597323007812082074548828715213834751707, + 40903613549597429611399144365203839627850863176247809657126605147801691165582], + [52181371244193189669553521955614617990714056725501643636576377752669773323445, + 30334172084294870556875274308904688414158741457854908094300017436690480001547, + 35548861917762862971011720475855172816698712671893796030607658203859222685056, + 23828822166916376664523534857031979764654878164406016294521947902346141831375, + 9525926338952422609290893812113350942492558421053540078000977304624217008060, + 51628644629799777637476595789175262638422034917782233018901952051044824901545, + 10527109078832366866417586795816864610030244893563632007270266203664988878415, + 11194215382192152257306835491684398858682370351821177979939632309447233186888], + [23791984554824031672195249524658580601428376029501889159059009332107176394097, + 19832360622723392584029764807971325641132953515557801717644226271356492507876, + 5370567718707734490084045178883836972105253285449736908577321570876055642415, + 24072177097374519292068993110945703798030958684413852593268331853573451397392, + 51092856030717857607132039047789240547482897962295861318467321833280572912593, + 51610208211871924557451265725733951220616079019514789132032962359833072317205, + 14800890894612002638570836260269548031587506768363863797633541619652896335116, + 47927023617684282491494208201013569921672642612236042045401823798666133017562] + ] + +def poseidon_round_constant_2_to_1(): + return [ + 44510337639712444877093863969199054965277800588455612249278638908194748645831, + 21803715039317278198490310228838761820084178670568647145430631061363562182159, + 7624865858307587153533893753671854337113466346291121078558552645350285711947, + 40816250157678830542785454550323790288400761867270997552332922267166370848099, + 26700489303136047462599262740180012654857443933973506452655094204874268181798, + 29300041198680547975810813644545348954050411371551740473502764872245855641482, + 26494260871076350781917504826961109818301921647993891506179327799406892257760, + 51471943067203395853539598076816386277188697473371359746626216561944728278869, + 48874150250826827063647140518997592549563417409147246235831213929889330889464, + 4957296567799842922524759318027693610815701909959689401077625970883603151110, + 49787130886622940646628207982474849305464467960406760686521606845929813913147, + 38626507234346048667761615866199783635070759234617387640403950557591257611930, + 43672937506493322470130890010227422460105683953151094688032165492686807529714, + 10282858088808039236495153687326481750629167926398528104702176163827531439774, + 5929373583590601619353793840106929273025491048347772550388315300478156302480, + 40523767159781096993564794726793344971416282562716017669035314514589021856544, + 35087653160263082011551011896785452178273871331090954735353760094574180797326, + 44066134544197993553720315073514236799698542066082224906667320314729128689851, + 46811190561503483095087189032015959148465356044838419985597715002375968521789, + 35502138198479058392251639631217384470706251578088034693745546686222031522574, + 3011951966042824356793101436014075881633742606023423824609791334873649401619, + 36441783079799715976603149530703751751672873737838939240893549516900746063885, + 5949000965032854376013985161729805610095473216976505768565157587449663833146, + 39334547265154726054631299624100840161191136653442409769156478840344483284117, + 44407194440944549422962884120864337491414458688079798116475114348830479824132, + 17726376508115223453307205134714318843193912409715438117420622264717671262663, + 756868613004458973360577644537468651009832005811964377612175868388980341238, + 3421893741771938128946389260799798658478598753415463644298734220953059738355, + 13293243933107737951928282334791569607692876620282367672054893180625816893632, + 11906453198605884256628058547608350794281153234160543833653104246224561572116, + 41007993900563419378450318427807675773574107233531791780559911428122060668864, + 48053112103639043655338341411293547635466618118313162578053483741000954697443, + 32234194819559922425974652761643838211443296225838831687358769666643041225472, + 48939529425812404248175324082406620877605698116805848434311747711965735603142, + 23172302197508009638107441698229967178757578829167657081073715837516157038684, + 26828245904250884987904133111377098838723772557669646848196202419087853870872, + 36025164071480125389137319620343252251920437049927443652919962965645042660420, + 42147865145919705097445974287709456827305052297675196211654971979806749888911, + 20585606416170880487041307637777839232517038894653375498347934603702403525799, + 1047663270527934381838445994762652910090839507177449076034186708210288801902, + 49864990265274912108645272682223261996354786042911445790248422528668444967688, + 20274910123179255493744356413243132767746258718293295072669857132542604950741, + 39934722872842035804029775488645871956511886709858512717725127998627130523912, + 33295937568441654166303959882114891655347924209941192993151592385097862772126, + 39198754144978337534654702520273605486297255614756323128663775493042981926264, + 48114214484211668830722398263059235215883885642960292320018016482221617479308, + 20857205525756474383857323509517945359548153106777905032259140536596758842151, + 20481512031474492331394869498229505122694442073123511672315331466779200648987, + 5512348932066875222255592673449822544023582557729178288775446420395599163714, + 14748707870289380337081091822758247948394420380976550635416667891847265434773, + 20722592968207591585193709289557966995643707360519106502308701025990663556112, + 30345071158541998337681526950804671230825251993252779307899796752848528236301, + 37998633152333475045376762610205951441947316428701472139959038991258723083573, + 25187075483245106412039082847435291293567789993240499080077480139071082713811, + 19421269742609173994970218921590288196829015512476170234735579602917648585528, + 44645626649350902490681022627010246390651823839290377812847048196342039743308, + 38015410591674700109176981164929629504879929166582206795827935147005325179107, + 15907673084411204300870039215095416489657280867726923876605554605918361454411, + 4839910768263945909615643698821897421248623201436406727882801614226282796736, + 11993166323725114372511567048380837525145267539902083755578961856890086640616, + 13920948384274828210917386586592591296235909076917892178237942711445546791673, + 890670937435713979056767019654860866935017937714294844928044822115961948695, + 17228860181078068965008756660486864527552317469394243328944319614877053158985, + 10077644153064320976006893555780056518106113458749153233744229760482343163199, + 49940012233787551970719440300197866554675665187348390484098206972627022147562, + 46156268877611784805956766593634373731938578230585206172333523828368963221701, + 22953533088186447995354081903847946065608888217162100116127853233026059928601, + 52274456635025394989373456728632213614198023598074828050923870917877714774032, + 10763107301772445560209819564880953581415947909035345171575074311681161298071, + 18925434003927090811791086956853651992753402455627802833236246367412669605539, + 44640541969065703218376218137336488126193962189090743983027473909004591005110, + 6325804276918590364991192431609508508777152352802958405080031341778877821773 + ] + +def poseidon_round_constant_4_to_1(): + return [ + 11865901593870436687704696210307853465124332568266803587887584059192277437537, + 37413344849675497106163505103761203874617077416461933389729149896951619083615, + 32493856687297537788073517556470839888070933486712636845483468275561142904504, + 8106572321306448561272383558012749963748358844705299406391447161298410877832, + 11707331945334514286120137391947350087632085623772869951863164361695922976568, + 50176353669915139758684707864014381736527453065793678083699453978150986704353, + 7614231165138437703715796351400512419034157550777684039873810826440625723695, + 17108745804308684637964438487237723214541645477949369557189249702220750722331, + 28482709556494724328894800736802198653800073555798724636385135549439085356742, + 22084621272529558534346674593668266856649195963035162420257478396107381285157, + 11065046937453971018193111360820446155970823623967390073553725256595768408791, + 20163386569362559253936962862374791389308839238220230985809310822791529262025, + 3941572053547598429065422950522133819874343789089916995553450661687375302109, + 26478286544099137612981910043301624023925078357447813396543283503388535703096, + 20695873604353009531429015276900191600064214090812802713214397507580078182919, + 13125722302273298866746961565666978849814465870768123336569424431819752980076, + 36198064501926046106576802008779486932990788729159233810880339338049275796987, + 44304460846758155168737768840994398685118878625607355725968797162919830864102, + 33427295080737122973704388239917504856466726697805464799279074730831006493899, + 33676819385378678616140345579679379172852136878360832374035200947147349341877, + 44698579309865383047943970651850256651158236406641741596599260270592257060333, + 9785548396072733556484927856146778907814788851086349315764873426432645263872, + 13443943788901083053739342733252043423900693132812974385986650498262359453435, + 50643729733611061821734405325096960434556494526582143101458996741611494836986, + 9762302758250004682914036756566790454206292929079802149918241419991743778078, + 19475373737975172049750799347581927313285945820087657933615778552974211829387, + 26326676308398320579169539788392437654921007121904386041440053251920191437301, + 33434337088018971767011967694326287068660679954245122268447231545106574191053, + 21854837019991553667332010956652219921642250105983660108852707854862240766704, + 1855873836256370364169888814967543928768577071445146807885001909257610924575, + 48105724357874736702308498318239595022868478610964925776544998873327877770469, + 6893757226114776013992120610353413647048965744053221939747330482283347049271, + 49492933790401867565879330847407697876101917412920943837692305231776568086150, + 43522959518323197786977932091172575965428037444858136419745890338308804820810, + 39369220628770987071776708725487093142438968678975788148890686830600891659237, + 24332002500271167754445178113059124234684848763578719088484322891936508359054, + 32863475623207582419161401899951874256189430526558709698459253237664899579477, + 8315390532973093090228198037973187268458339671135900692256692995983001224287, + 41596164941281344945126840056611498785955123869980989807278169650894369778621, + 41140021013127548285923961611241892352480288807646515822914427245468443615449, + 42624333566444295089232230699974262280460377983015559040916764999567317327294, + 29425841969458336716648866633284898031574592123216791821970989517602546368463, + 20194832349178074328255630030474794676357522951312816945265283318496141911576, + 33508834389330212986852784163678812323448884912646004437785005736522859730449, + 20197489266521008707527755143868210833027985912465941510937472218208331469324, + 38189796622106345878699238475711002255025750905901925248625120562682573353793, + 48437331749916394313065146750618123382683254942785601073233866557242834888501, + 34815884667490928168338620954175830688114531237099462583592020572423301193334, + 1316079587764339149090919530288539945185249635387918305928554726824292235069, + 33564480841331620167847153616337187248054503582700661803825728035418602546478, + 4635634898381888421672273828316335969974599848444510316738469345444620659008, + 8644506076646842294589324870931361199184791348209582052726445382015132439419, + 39498585060657083972778194861599167626335350278223243726925173218749695943806, + 42901602831339057007425445486193581840749112246589631302873671293308101878875, + 20119933204882102974459031584507100339282292349398588923453836079377072829543, + 7917862289043363038204972116125424279857433068189510615392330392863075948512, + 41284417024025222157952919191031968108126105524670279472881067727309802924938, + 11213861995768467857413038001306057240793870929626059934261458727946548965379, + 2291742710611132809700323762125675349484016058554275673428643410085506076100, + 30099159053997341705317995418169313532098300934328131162175924134794709943047, + 447035513285578307783519781307142266645679652807941291454847780415896684065, + 19941446202184504378547837635870560393064630187876613630546846906393007677289, + 7595261399959684629699197426920893479848768772071384660164934610968891053864, + 51598580281806900142260694365187051410317675046136337884836978415482902327015, + 12450848281586712352554721829724230078424064515794153380314705783292880037478, + 5237102499670441785007944785581992844697685968922355014280712201430686167152, + 1412524057853628881005630586377727487233247150373319518286783509614859257068, + 38519766408760192821848550196157518411386556623071006612683448412823634200875, + 11338671486975802181674275776989710780888734229624346786700048285586675342901, + 23124572501783393477231165425714476214042723292141825213493635111951207504070, + 21528356110015199451243279738115385806356940590132503530639630620611521954326, + 6284174238932569340060925799940162325946442751185026413727709496271066916876, + 48373517651545249281510690416218268384343400250317171450103976311090286221260, + 27752440147182328733098243645400559151338503658043397110598417983425635093551, + 43156725395743020846958899706072234263962738024394096815001388170789961679788, + 48906049704561774201639151262665470255437206145980347197443063657678740507943, + 24918160465086526594937065443815615610757370328053649165018481775513828479869, + 36462368786443951186110721729238677880688318912401935278190656741197184273952, + 37367696075403883562827939745268661270924157618310868295845006320225084994632, + 42130603320119794983803262970740129474583503116320676437504579920473229006778, + 12096038367976885628335054904138821822550042039079703385879844461517464118581, + 34671362090033614505367959844073659507869267381932134573786004532584171425818, + 15908652423714359894720614650322760756461828514699821946843077879932200328081, + 7518568119601342737128460613704294443674406422237476295695786631549469567412, + 33513737101700389003254558060695049730922342329295390135821890558696123720054, + 49765425774819103826723198731734445691737353182147628471479513204868044796119, + 48731721046471530891684818884908827036844194399863789073273030545326532602503, + 1994879948378542466338304292753049990663872919840272992167645879411261807091 + ] + +def poseidon_round_constant_16_to_1(): + return [ + 39725799400017827115953999199803965513668921247606107843235739645000498452181, + 42966428960558994593504354654034020585855169251008976179361555763424614464338, + 1902577049757491257818576950592390026062184527103985176709404045325719879153, + 44431672934524375006946320990995907220611992982569305140824479722873832750184, + 39726183949244760384768131039650643342100328144953562677717530936076214603575, + 47922249389084318636163655667342945193486098112364797914711366318805271081986, + 1862870272947949400931550187895813583996084263112126758587127421895920740217, + 4609552006052426829558648842629624826577232105300129098751251434249497379415, + 35588143488957689566276930373759329909335354222484070944945535758095890233602, + 31992851211763793548423275170246297274462525072830105768609534303798701174374, + 10431109178659867018016774068824625279897747730577584847579124215705854088752, + 1949666570245048798153069638552026706752846020986409274673577266743024227986, + 26013146320492118585809324011747055383255013664810283913111923543378165512435, + 24326326384498087823059984407171843358848416830861907662385192677188116053544, + 22319685994625011021753350147173406654223939569203496437101532456482753075879, + 50557239558368781744228704045005139069258908206255515650400270553037541504198, + 8150349453804124148576142676639616213878444242674057629308915686941165448719, + 48208850819924081505370182430049176104131115325038330030896851480045955495846, + 23292055228237110741391983617517431423114804124284097964494568447865687504083, + 41624195613852190072343927309438239744583865875755371975404916906916622520312, + 35035764767249963834124347515646744980548162618519514861977709647292192162935, + 4779348796643887084014079273412324900195658451616750603184150546614709227590, + 33367047533960399900339953965992791362189146117008495287189183308885826514987, + 47818152023063189199872106125697047204743569529570459808477570336306405682618, + 42796246674763432543587686312218067656639355734975037053737259369488219415432, + 10957190869792979750714342710039883244593973691851341486138757518667861871308, + 2841790402482039728028394542789470351099439451234544313142331893197703007354, + 16616683520944631525798957628064854348665295295102366742591213566889088018633, + 33567370488316680379461825404457605756079279555675131093451020281219258632141, + 20149108407482774388930550024591991805677394222603241325670591147763821350175, + 26521955033333972827600806868235450804729772994352860271090218480508888628468, + 30420917495722730561485028971813175058988495495112448737909833585405582002453, + 28826298253194385387635350229770135429043506867664273190337060583321839575111, + 17917025733340975563320009027981039582040740238333569779892727038742964339095, + 7141322642265363206186621258281581108534976046127258038741170240455221165198, + 19418423356096329136327193014171723261000987171654451855537930843119849003480, + 4435246673426368856651403911455319600556213204117162371080963632405613232527, + 19632896986964074847700416879011202636067522051661757108806676985789880273707, + 27046963462399353439595827223611516072637119359583733706532920096544318625175, + 46022420944605380770914903892871308087212302911540340258773948901501361016991, + 47210247379686065208769144617004411377616699091411215517824991959313614962397, + 10113618698993232512425817656261980665816667005776383524586380129027083138291, + 35517438329843448024913764440686318451400431892618552836051616554728503908001, + 15621081553202567263286903894992975334527971102321162065809849644051230558156, + 29674547690110160534416981628193785576251233526911087635787729103482288097393, + 48072441526206759351688872909792052037070864282054279767041551741286737196367, + 41744043803776630924388673324290707208134439478043126394378048339212169592401, + 9628276074092566929694879552911540910341944885042275367756464425374067624509, + 20632626646113120307999197184021140185329277351497138331616553936227435116058, + 20792210528194122935550939155383235642592438080224243249333876170013316543401, + 40415491313636855559381927040556471386850767350804210034574345185034062472388, + 42065986796325477298062230949689861704213331366919061593388137948694441619250, + 40821207536769008545206744063766400532504619210533302382117795523897539697933, + 25553665219208663753910822024028906032034541099513008737546655361577447316484, + 19736663029664934322245808384029169299382853413147390505477065761633976373362, + 41037270906646381161943193245472673282253590700725246354740042685574618941505, + 26465673628980636091049213717769341512445753008415873261263203826832299352951, + 37036784788783168689308644616358821855616430701564621669397983274253847911044, + 16882309834972349171728263406452316383132803207143172570189837375172214690963, + 49236009794362178305819055463654400779656334164463557593816047235183326696206, + 39126492963181209630544294313956192397928968809823631059639413986679789778216, + 43658389378690206885714590070566109002458688834417247158444257250935092974665, + 16333104498316984295745962415236263230477082737132070203651697035209925593266, + 2343404888674146320460570191540978518333195833255755810571688909855019156349, + 24634045350057319695041104791403403368011675948761890270733136933077818947573, + 24387229815091645818728740871562656675244609698356948940855886553509325623218, + 34856435078036813743723173976791961760363416490222768467602434757897150562809, + 22463928646505673196264844647723745514489344400622648158270067812328221291172, + 38337547475660790190067897986042722249254601625800102257245591381379028610987, + 30884758170575514019575313258747378429451169785327990741538528539964746232511, + 407062347257081198418184706020217550797090175697390265997395699504028840069, + 46072527669630030314941843287930470349120547732416735746099013950369555752487, + 26598420173680844002096268043589508593110520210883302319058895397482348813138, + 5468186730708689095665003796421147031372937271113374556364693295567666309881, + 20408443200377694476685908188621206365577738334727573068844969120059071063384, + 46981234183655934922934842049383026387012791700440415493493702691352740266098, + 33551792494519814298680232023513160371021410923276291252829879529580574549607, + 44191750214736553132933384320160073484141698637542792822319467448466449199959, + 52082663085085422534369913780529050462333401292522763448650886744352341477846, + 43609725693554764598774802211508572436819354508573541391712385270827954088014, + 5509314597941212988576665300843166762362117860942586466472903661374654433047, + 5559029914528165704027960512924831270184459421996344081783499760333465840454, + 33524678638941473952008777383950476291303669122863259465508971654565607710124, + 45645434759869537782219495003520693614316744086502894675070357053578529462611, + 21634412361943063812483816878212759698145592627132630568177240468236243443997, + 17296076019245918134776233380747899670718046224411673517180705100767962406954, + 51440070128252977573576752509509289893411386048688470945863901737258119109741, + 3594222373894239759942466635754825806993182513993455014470212549644348436736, + 47959769456918498933526528689384868494120276948030111429507861237362437496210, + 33000764793048989170342190628396476268404452069453776919602031823454420654656, + 42826490422129152698636386897788577399393533635964594559886553174637239521118, + 52295329105725197789753101315429895369766102629019133090017712989241053783558, + 47880622238513674104247747676583724803255466382975859845069693487703628947714, + 43936946713208191402441184330937985658846334880823513129204372649490118165491, + 40251165390594695927371248080107666232732935108005358445481599233717782638896, + 4374561185857417857316731922491353498974134405011029557830297994813315862559, + 36035028519117241692429568027060454516008330481155302030640451954673337039870, + 17169679336575379664065214518686885005225695064353947035596355048982268831028, + 15880917696586343406953592641564615996605082216639892270189959812763710888748, + 44053791831887360310582759225296188780718960772971991969178524168816504578804, + 17891697801976794338721931255832783817787274947410906666444514892619618334272, + 41860684084301922118560078323296728501588433716011882280914057750677004252514, + 39634237355488544158215275263851269921534055658196710011242793797355974120931, + 17147446725471655980188874591608844349450837795690392086436662207272648235970, + 19402693173125609969856950331264436884921152880190529800026177590116055294038, + 10691603198079109355998270513275267963583839999640707229593969158192066085397, + 47540627356602773888603132684733863602762111482745208345804634126586257262607, + 5915674545476155673196233396217928914866410645604699985302660208523245942237, + 111251938011213760763774859243277527837142141250061606873636423012197111197, + 35063286980316874255015992522343006303508619821794962259547057506813060931773, + 4955838234826402705564139094252802999139115369004968713576517960060305039082, + 13792409982596927634720969816052864004355280343403291329940320489270508883803, + 35825741100880023876488868468112742657673252321462610504266451341355067205610, + 28460915945533593428542040906830378549800618474095963851867763677018897302929, + 9713844506249087416664024364428812240068094374028199286225738527757038112467, + 40679805732400884118723774115665481614915421978306297159251228478606230752474, + 29757946798627258745416990533455815630324656030573466209153051560180917776353, + 48357362019104750186375328819952102172608585465016965207540831676602884269263, + 32940491071431805169868501574465967021193902185553749640148719707932598780469, + 7473125368630470049034003737446766486818477818719886735195316440180323968735, + 49797314418731632305394406125363649977467316746705136554158771555038756351980, + 29423812245635343436136357631167744312439395772431168176499761020256672974116, + 17752952597488467689955328967514036081230334268062286286791238444994797946364, + 11187314008830530006226896925828877981837282277801039676209354309840830166312, + 1460570367181490316969148060693926446394822620570366788008558284806968117734, + 2845512215983531260468619146202988365036283019984734085030635808663534080897, + 13678775934492824068869109923010846046122089274150470818447401546000515089448, + 41560010339997824874371372926655493150700423413706122338193288307311885566768, + 44104701369840880307377204949341973251175518351389507661546336745348450403920, + 16099171949124285044549692766555664705752094379574657435086067387762269145164, + 10885502210016683506969436609216522437947532105991633231562168011909638111557, + 52156298020032266431787014754649280499452461532044760665828040879517728539708, + 33945410025064742625417443716276958550285900443924582459678703741650438534809, + 42330185455056468790993939554345514151954186453281863597765777627606599578516, + 4657049000824091386723963460476049183867985168345526464398818750489141737163, + 21923801997589000370088914236235074435502416056621470668050389849529574106202, + 15805689248891728058742321832039785423037087284565290950005114696831443231147, + 45984185687363711365029866793756997560497628108006072393015670720821342880668, + 39156427118840011190894400331617643276463742427839568112463350872444907680494, + 17893081445111736451083202165540649827781358816986209263756161212394728333001, + 36437118588111746025389127729913810175419804691977510411734238734357426423809, + 48260118028483684631326190969379716083209813670977725322552249653459435387882, + 40486986020827308332276345571616851806907994309632663940769016980912192516960, + 35099819227656121544999230187647432362290129526704475429625894785506342902690, + 27580239951806652383156459031577005530932247841092109348006802746879132126644, + 23271341957819036356728305748625419304831156372249949335195015298360923297133, + 42515055996716749819345238125802133364043851479046925751568447538867534641232, + 28714009840464082058245378340345146078016662568993921795177048501158035190256, + 1111216851713657365641977385220157904693120725668727899264987734176843126786, + 34412967565386968523345579224490035779382635330951678114018655424976710134202, + 42139998487524182591996890653589805817774015986629937281031206233447268328582, + 21691713516840627241183176855164665841929652491546118303064101066110796188953, + 27652419528236676047196125264032473043981854331278230828308077279941937298620, + 31211569185747715573358506785717075277547885839683427922002064474550453938720, + 12885686250323264975654813526936397901419023857524625007681452625820802164214, + 38368208456555528544874775339563689416708041768804542366734634684956870468665, + 17014127458377497594462762243899040828274799467801458439796258262209705848999, + 18339473410858561688021816579378042667435599228737095147372090986285098295729, + 30243070523454822835312974811746059176298060623371243491658504828859436915867, + 6856623016702194887799030091421067262770379379384975426793372305588238369793, + 14584928177339868798941696431226120632338622678933396299538143948251685736857, + 28963568590115676917816187714525023427152141272289632646661816895205441501344, + 15821449895801494782675541871540375313851597664972871699624592153555269853492, + 26870110211337166665285488169972107901304782738602697811217352528389112713316, + 29654640625766553122308126800147704038633411112031981115431401674463728957870, + 45387771697529877530693987615375947783672003547457057946997587632853767376485, + 51530073844213986083224257489799416809305283668200085363164553259742628578601, + 39500637489121678568797859105259741238785871932514496730971686474963916800838, + 34638632655721665381292046101540251812987268394182233780890406749905123665498, + 47558773840542513144047273382754220597014222776549583477762891202886304283558, + 34464683426026223214818536296789584915103714217643035512538086729011924346398, + 50661423324933414471281644339552326226886136985713868196538700335246118227921, + 16026951337367383175610820246210183497734025720194433489132017234538604936414, + 33572475268799564642745000649407837861228346301126684294541252715366099579094, + 26220434981437976873498592303656146371158505657662010285451539733034399969825, + 31040488125858696173362986090795905945928951823554908571888900564555975057860, + 47286385036886749775224009536390346046643937618292722852399698152345906543537, + 20950917282535983122464307959293663918938997314569186126689031705635737272062, + 16685712499755301665281386819771726363157372904949135525550583883571962834528, + 18683291445525541017294795892345078328382688847480507122165708511223740177458, + 2608268839331669212463985078421319322001352992807108968314090990777368891770, + 40037105172855926626375817902131326490267684706159606232991633054381953553026, + 21626330967116418140505001603028197974177240574915763170077069271066169546158, + 35330469786033362269122965704661462637931218147681429112041541870602933338162, + 7959740499179483922969783988740981409045430979967212583073048384801003055527 + ] + + + +R = RealField(500) #Real numbers with precision 500 bits + +if len(sys.argv) != Integer(7): + print("Usage: