Merge pull request #3 from logos-co/thomas/PoL/circuits

PoL circuits
This commit is contained in:
davidrusu 2024-07-24 14:15:58 +04:00 committed by GitHub
commit 30d92af73d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
21 changed files with 5298 additions and 0 deletions

3
.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "proof_of_leadership/circomlib"]
path = proof_of_leadership/circomlib
url = https://github.com/iden3/circomlib.git

View File

@ -0,0 +1,184 @@
//test
pragma circom 2.1.9;
include "anemoi_Jubjub_16_to_1_constants.circom";
template ark_layer_16_to_1(round_number) {
assert(round_number < 10);
signal input in[16];
signal output out[16];
var C[10][8] = C_16_to_1();
var D[10][8] = D_16_to_1();
for(var i=0; i<8; i++){
out[i] <== in[i] + C[round_number][i];
out[8+i] <== in[8+i] + D[round_number][i];
}
}
template pow_alpha_16_to_1() { // ALPHA = 5
signal input in;
signal output out;
signal in2;
signal in4;
in2 <== in*in;
in4 <== in2 * in2;
out <== in4 * in;
}
template mds_layer_16_to_1() {
signal input in[16];
signal output out[16];
/* M_x= [1 2 3 5 7 8 8 9]
[9 1 2 3 5 7 8 8]
[8 9 1 2 3 5 7 8]
[8 8 9 1 2 3 5 7]
[7 8 8 9 1 2 3 5]
[5 7 8 8 9 1 2 3]
[3 5 7 8 8 9 1 2]
[2 3 5 7 8 8 9 1] */
signal x[8];
signal y[8];
x[0] <== 1*in[0] + 2*in[1] + 3*in[2] + 5*in[3] + 7*in[4] + 8*in[5] + 8*in[6] + 9*in[7];
x[1] <== 9*in[0] + 1*in[1] + 2*in[2] + 3*in[3] + 5*in[4] + 7*in[5] + 8*in[6] + 8*in[7];
x[2] <== 8*in[0] + 9*in[1] + 1*in[2] + 2*in[3] + 3*in[4] + 5*in[5] + 7*in[6] + 8*in[7];
x[3] <== 8*in[0] + 8*in[1] + 9*in[2] + 1*in[3] + 2*in[4] + 3*in[5] + 5*in[6] + 7*in[7];
x[4] <== 7*in[0] + 8*in[1] + 8*in[2] + 9*in[3] + 1*in[4] + 2*in[5] + 3*in[6] + 5*in[7];
x[5] <== 5*in[0] + 7*in[1] + 8*in[2] + 8*in[3] + 9*in[4] + 1*in[5] + 2*in[6] + 3*in[7];
x[6] <== 3*in[0] + 5*in[1] + 7*in[2] + 8*in[3] + 8*in[4] + 9*in[5] + 1*in[6] + 2*in[7];
x[7] <== 2*in[0] + 3*in[1] + 5*in[2] + 7*in[3] + 8*in[4] + 8*in[5] + 9*in[6] + 1*in[7];
y[0] <== 1*in[9] + 2*in[10] + 3*in[11] + 5*in[12] + 7*in[13] + 8*in[14] + 8*in[15] + 9*in[8];
y[1] <== 9*in[9] + 1*in[10] + 2*in[11] + 3*in[12] + 5*in[13] + 7*in[14] + 8*in[15] + 8*in[8];
y[2] <== 8*in[9] + 9*in[10] + 1*in[11] + 2*in[12] + 3*in[13] + 5*in[14] + 7*in[15] + 8*in[8];
y[3] <== 8*in[9] + 8*in[10] + 9*in[11] + 1*in[12] + 2*in[13] + 3*in[14] + 5*in[15] + 7*in[8];
y[4] <== 7*in[9] + 8*in[10] + 8*in[11] + 9*in[12] + 1*in[13] + 2*in[14] + 3*in[15] + 5*in[8];
y[5] <== 5*in[9] + 7*in[10] + 8*in[11] + 8*in[12] + 9*in[13] + 1*in[14] + 2*in[15] + 3*in[8];
y[6] <== 3*in[9] + 5*in[10] + 7*in[11] + 8*in[12] + 8*in[13] + 9*in[14] + 1*in[15] + 2*in[8];
y[7] <== 2*in[9] + 3*in[10] + 5*in[11] + 7*in[12] + 8*in[13] + 8*in[14] + 9*in[15] + 1*in[8];
for(var i=0; i<8; i++){
out[8+i] <== x[i] + y[i];
out[i] <== x[i] + out[8+i];
}
}
template s_box_16_to_1() {
signal input in[16];
signal output out[16];
//Computation using open Flystel
var x[8];
var y[8];
for(var i=0; i<8; i++){
x[i] = in[i];
y[i] = in[8+i];
x[i] = x[i] - 7 * (y[i]**2);
y[i] = y[i] - (x[i]**20974350070050476191779096203274386335076221000211055129041463479975432473805); // 1/ALPHA
x[i] = x[i] + 7 * (y[i]**2) + 14981678621464625851270783002338847382197300714436467949315331057125308909861; // DELTA
out[i] <-- x[i];
out[8+i] <-- y[i];
}
//Verification using closed Flystel
component pow[8];
signal y2[8];
signal v2[8];
for(var i=0; i<8; i++){
pow[i] = pow_alpha_16_to_1();
pow[i].in <== in[8+i] - out[8+i];
y2[i] <== in[8+i]*in[8+i];
v2[i] <== out[8+i]*out[8+i];
in[i] === pow[i].out + 7 * y2[i];
out[i] === pow[i].out + 7 * v2[i] + 14981678621464625851270783002338847382197300714436467949315331057125308909861;// DELTA
}
}
template round_16_to_1(round_number) {
signal input in[16];
signal output out[16];
component cst = ark_layer_16_to_1(round_number);
component mds = mds_layer_16_to_1();
component sbox = s_box_16_to_1();
for(var i=0; i<16; i++){
cst.in[i] <== in[i];
}
for(var i=0; i<16; i++){
mds.in[i] <== cst.out[i];
}
for(var i=0; i<16; i++){
sbox.in[i] <== mds.out[i];
}
for(var i=0; i<16; i++){
out[i] <== sbox.out[i];
}
}
template permutation_16_to_1(){
signal input in[16];
signal output out[16];
component rounds[10];
component mds = mds_layer_16_to_1();
for(var i = 0; i<10; i++){ //10 rounds
rounds[i] = round_16_to_1(i);
if(i==0){
for(var j=0; j<16; j++){
rounds[i].in[j] <== in[j];
}
} else {
for(var j=0; j<16; j++){
rounds[i].in[j] <== rounds[i-1].out[j];
}
}
}
for(var i=0; i<16; i++){
mds.in[i] <== rounds[9].out[i];
}
for(var i=0; i<16; i++){
out[i] <== mds.out[i];
}
}
template hash_16_to_1(){
signal input in[16];
signal output out;
component perm = permutation_16_to_1();
for(var i=0; i<16; i++){
perm.in[i] <== in[i];
}
out <== in[0] + perm.out[0] +
in[1] + perm.out[1] +
in[2] + perm.out[2] +
in[3] + perm.out[3] +
in[4] + perm.out[4] +
in[5] + perm.out[5] +
in[6] + perm.out[6] +
in[7] + perm.out[7] +
in[8] + perm.out[8] +
in[9] + perm.out[9] +
in[10] + perm.out[10] +
in[11] + perm.out[11] +
in[12] + perm.out[12] +
in[13] + perm.out[13] +
in[14] + perm.out[14] +
in[15] + perm.out[15];
}
//component main = hash_16_to_1();

View File

@ -0,0 +1,122 @@
//test
pragma circom 2.1.9;
include "anemoi_Jubjub_2_to_1_constants.circom";
template ark_layer_2_to_1(round_number) {
assert(round_number < 21);
signal input in[2];
signal output out[2];
var C[21] = C_2_to_1();
var D[21] = D_2_to_1();
out[0] <== in[0] + C[round_number];
out[1] <== in[1] + D[round_number];
}
template pow_alpha_2_to_1() { // ALPHA = 5
signal input in;
signal output out;
signal in2;
signal in4;
in2 <== in*in;
in4 <== in2 * in2;
out <== in4 * in;
}
template mds_layer_2_to_1() {
signal input in[2];
signal output out[2];
out[1] <== in[1] + in[0];
out[0] <== in[0] + out[1];
}
template s_box_2_to_1() {
signal input in[2];
signal output out[2];
//Calculation using open Flystel
var x;
var y;
x = in[0];
y = in[1];
x = x - 7 * (y**2);
y = y - (x**20974350070050476191779096203274386335076221000211055129041463479975432473805); // 1/ALPHA
x = x + 7 * (y**2) + 14981678621464625851270783002338847382197300714436467949315331057125308909861; //DELTA
out[0] <-- x;
out[1] <-- y;
//Verification using closed Flystel
component pow = pow_alpha_2_to_1();
pow.in <== in[1] - out[1];
signal y2;
signal v2;
y2 <== in[1]*in[1];
v2 <==out[1]*out[1];
in[0] === pow.out + 7 * y2;
out[0] === pow.out + 7 * v2 + 14981678621464625851270783002338847382197300714436467949315331057125308909861;// DELTA
}
template round_2_to_1(round_number) {
signal input in[2];
signal output out[2];
component cst = ark_layer_2_to_1(round_number);
component mds = mds_layer_2_to_1();
component sbox = s_box_2_to_1();
cst.in[0] <== in[0];
cst.in[1] <== in[1];
mds.in[0] <== cst.out[0];
mds.in[1] <== cst.out[1];
sbox.in[0] <== mds.out[0];
sbox.in[1] <== mds.out[1];
out[0] <== sbox.out[0];
out[1] <== sbox.out[1];
}
template permutation_2_to_1(){
signal input in[2];
signal output out[2];
component rounds[21];
component mds = mds_layer_2_to_1();
for(var i = 0; i<21; i++){ //21 rounds
rounds[i] = round_2_to_1(i);
if(i==0){
rounds[i].in[0] <== in[0];
rounds[i].in[1] <== in[1];
} else {
rounds[i].in[0] <== rounds[i-1].out[0];
rounds[i].in[1] <== rounds[i-1].out[1];
}
}
mds.in[0] <== rounds[20].out[0];
mds.in[1] <== rounds[20].out[1];
out[0] <== mds.out[0];
out[1] <== mds.out[1];
}
template hash_2_to_1(){
signal input in[2];
signal output out;
component perm = permutation_2_to_1();
perm.in[0] <== in[0];
perm.in[1] <== in[1];
out <== in[0] + perm.out[0] + in[1] + perm.out[1];
}
//component main = hash_2_to_1();

View File

@ -0,0 +1,179 @@
//test
pragma circom 2.1.9;
include "anemoi_Jubjub_4_to_1_constants.circom";
template ark_layer_4_to_1(round_number) {
assert(round_number < 14);
signal input in[4];
signal output out[4];
var C[14][2] = C_4_to_1();
var D[14][2] = D_4_to_1();
out[0] <== in[0] + C[round_number][0];
out[1] <== in[1] + C[round_number][1];
out[2] <== in[2] + D[round_number][0];
out[3] <== in[3] + D[round_number][1];
}
template pow_alpha_4_to_1() { // ALPHA = 5
signal input in;
signal output out;
signal in2;
signal in4;
in2 <== in*in;
in4 <== in2 * in2;
out <== in4 * in;
}
template mds_layer_4_to_1() {
signal input in[4];
signal output out[4];
signal x0;
signal x1;
signal y0;
signal y1;
x0 <== in[0] + 7*in[1];
x1 <== 7*in[0] + 50*in[1];
y0 <== in[3] + 7*in[2];
y1 <== 7*in[3] + 50*in[2];
out[2] <== y0 + x0;
out[3] <== y1 + x1;
out[0] <== x0 + out[2];
out[1] <== x1 + out[3];
}
template s_box_4_to_1() {
signal input in[4];
signal output out[4];
//Calculation using open Flystel
var x0;
var y0;
x0 = in[0];
y0 = in[2];
x0 = x0 - 7 * (y0**2);
y0 = y0 - (x0**20974350070050476191779096203274386335076221000211055129041463479975432473805); // 1/ALPHA
x0 = x0 + 7 * (y0**2) + 14981678621464625851270783002338847382197300714436467949315331057125308909861; //DELTA
var x1;
var y1;
x1 = in[1];
y1 = in[3];
x1 = x1 - 7 * (y1**2);
y1 = y1 - (x1**20974350070050476191779096203274386335076221000211055129041463479975432473805); // 1/ALPHA
x1 = x1 + 7 * (y1**2) + 14981678621464625851270783002338847382197300714436467949315331057125308909861; //DELTA
out[0] <-- x0;
out[1] <-- x1;
out[2] <-- y0;
out[3] <-- y1;
//Verification using closed Flystel
component pow[2];
pow[0] = pow_alpha_4_to_1();
pow[1] = pow_alpha_4_to_1();
pow[0].in <== in[2] - out[2];
signal y0_2;
signal v0_2;
y0_2 <== in[2]*in[2];
v0_2 <==out[2]*out[2];
in[0] === pow[0].out + 7 * y0_2;
out[0] === pow[0].out + 7 * v0_2 + 14981678621464625851270783002338847382197300714436467949315331057125308909861;// DELTA
pow[1].in <== in[3] - out[3];
signal y1_2;
signal v1_2;
y1_2 <== in[3]*in[3];
v1_2 <==out[3]*out[3];
in[1] === pow[1].out + 7 * y1_2;
out[1] === pow[1].out + 7 * v1_2 + 14981678621464625851270783002338847382197300714436467949315331057125308909861;// DELTA
}
template round_4_to_1(round_number) {
signal input in[4];
signal output out[4];
component cst = ark_layer_4_to_1(round_number);
component mds = mds_layer_4_to_1();
component sbox = s_box_4_to_1();
cst.in[0] <== in[0];
cst.in[1] <== in[1];
cst.in[2] <== in[2];
cst.in[3] <== in[3];
mds.in[0] <== cst.out[0];
mds.in[1] <== cst.out[1];
mds.in[2] <== cst.out[2];
mds.in[3] <== cst.out[3];
sbox.in[0] <== mds.out[0];
sbox.in[1] <== mds.out[1];
sbox.in[2] <== mds.out[2];
sbox.in[3] <== mds.out[3];
out[0] <== sbox.out[0];
out[1] <== sbox.out[1];
out[2] <== sbox.out[2];
out[3] <== sbox.out[3];
}
template permutation_4_to_1(){
signal input in[4];
signal output out[4];
component rounds[14];
component mds = mds_layer_4_to_1();
for(var i = 0; i<14; i++){ //14 rounds
rounds[i] = round_4_to_1(i);
if(i==0){
rounds[i].in[0] <== in[0];
rounds[i].in[1] <== in[1];
rounds[i].in[2] <== in[2];
rounds[i].in[3] <== in[3];
} else {
rounds[i].in[0] <== rounds[i-1].out[0];
rounds[i].in[1] <== rounds[i-1].out[1];
rounds[i].in[2] <== rounds[i-1].out[2];
rounds[i].in[3] <== rounds[i-1].out[3];
}
}
mds.in[0] <== rounds[13].out[0];
mds.in[1] <== rounds[13].out[1];
mds.in[2] <== rounds[13].out[2];
mds.in[3] <== rounds[13].out[3];
out[0] <== mds.out[0];
out[1] <== mds.out[1];
out[2] <== mds.out[2];
out[3] <== mds.out[3];
}
template hash_4_to_1(){
signal input in[4];
signal output out;
component perm = permutation_4_to_1();
perm.in[0] <== in[0];
perm.in[1] <== in[1];
perm.in[2] <== in[2];
perm.in[3] <== in[3];
out <== in[0] + perm.out[0] + in[1] + perm.out[1] + in[2] + perm.out[2] + in[3] + perm.out[3];
}
//component main = hash_4_to_1();

View File

@ -0,0 +1,174 @@
//test
pragma circom 2.1.9;
function C_16_to_1() {
return
[
[39,
17756515227822460609684409997111995494590448775258437999344446424780281143353,
10188916128123599964772546147951904500865009616764646948187915341627970346879,
3814237141406755457246679946340702245820791055503616462386588886553626328449,
31231358838611540266091127386940316382485316827738464579249222989762089961618,
3726010289701932654130304682574596267996890432970838266711107863585526844332,
36992578177313978374320714629037014712724552282717071185860782184820525992055,
6539662723010541897260760345121608837413747021964775102659796495628351576700],
[41362478282768062297187132445775312675360473883834860695283235286481594490621,
3384073892082712848969991795331397937188893616190315628722966662742467187281,
38536464596998108028197905645250196649287447208374169339784649587982292038621,
37592197675289757358471908199906415982484124338112374453435292524131427342810,
23880328728725835218995126249367316438768592574548525705412373412647097582882,
48825064577758348008118486787590853038041005302054740877940928369291358302191,
50534173420081783859714292066423124353911378857266355124747257390448683204724,
7428946804745276726594228607058422733621008211707460976374155647815125702793],
[9548818195234740988996233204400874453525674173109474205108603996010297049928,
51311880822158488881090781617710146800056386303122657365679608608648067582435,
24596965950552905296088269899880882549715354660832391374009234980535928382152,
34036826250287807194659359129722586818079652442547178531030410684351456041117,
47245638746867242507412562212796342461134942817161752237394648503282879275118,
31300595906266724771648800100316060631685700019604649908550024867487861705279,
3785144237087232802472944225009874259820952161256157218342463192641540401693,
13192072039732854032991114991329331830093509159172499125522354840599160152710],
[25365440569177822667580105183435418073995888230868180942004497015015045856900,
29347609441914902330741511702270026847909178228078752565372729158237774700914,
14356478667385969079309349540394948109414829921001045845599553435706989367858,
9488013611624811735432450930006811652991761655550510302915118428283918068143,
46788925259457988525082226160565541608877312582477767975013905645120335169226,
39167900530643229840202791109535532972977251341471019870612379478843295475401,
35468869056801697991539514623685427699753784556397696975236370718172619478088,
10386758415207822166675671630819234802877311049149240741713298889822859300210],
[34023498397393406644117994167986720327178154686105264833093891093045919619309,
2339620320400167830454536231899316133967303509954474267430948538955691907104,
12136748919666286297989154404429099226154686992028401568133058190732008277996,
19442569822772655270268482835742480365499256802520510905846953360427433130058,
6121842489566508888444793919988648467487285035515564826894797322329857604679,
52423305139993282549959548255411402052505266722715464547641713196825757370045,
721115880708783722056278375691123676170968994983418732948150001331611213553,
28368777671879812853105774722579268517023359292257929653599900440020077784493],
[38816051319719761886041858113129205506758421478656182868737326994635468402951,
27338042530319738113354246208426108832239651080023276643867223794985578055610,
15580674179713644540398409523441814073810768449493940562136422009899312699155,
4362660876979205605782410963041525734654031488177761934879852229226211686053,
11650586156654079013116836535888803264128748996614961532114710040258230535152,
19531964257180260867876509318520389540889883401661971174170106848135773712126,
28219700779483915272028450015085470411949576744039967576016029120273878374251,
33474277480452546775130924043517012470949538154685955521260479155699441559340],
[35167418087531820804128377095512663922179887277669504047069913414630376083753,
42192983528513372869128514327443204912824559545179630597589572656156258515752,
47389212411441573266379092392931599970417884729397156841216318364858334633325,
41487656259632727393098274178738763934249662924287956242704596746920012242443,
47585046162349898019384381324380934361400616741262019467964248889992556789636,
22864477306086472394102077909444955034170624450796904926669386049666664492257,
13351050514115985199153581050320477287713057625178307041078042677800880924875,
37405300160039662564807777381564989963058089105400420537288945543199341594301],
[25885868839756469722325652387535232478219821850603640827385444642154834700231,
42721818980548514490325424436763032046927347769153393863616095871384405840432,
5855288403637341107158034195599277569854359593529752399086836976954392351035,
18845851722124019325834426094831743068408557621685658713002749358354699910772,
33256528590007803378062158842587476459976080810702643409997408348306082386089,
2234591446681396008493892860306849390171100567645872660203494363121541667798,
194686086885408743916631695867994306362987352657004869135407425114760399927,
28761022534147935351682915336446217569572759443228321225221961720692449395484],
[8867588811641202981080659274007552529205713737251862066053445622305818871963,
23473499332437056484066006746048591864129988909190267521144125882222313735740,
5696063807157149622355481994320806474692190935543821893362808351446578125354,
48558031599255072862103809681060565464555437399403822458902024251997890071747,
29805490370918962312941798594103721605222271424104745148638516522088829641991,
37489036434356676843050473824100415300808075220521554146913930229334867812254,
11631357050894820069054650807562155039191303868752185889040197345022629525927,
24660767228992591228910666543569781024799661249145320635218341313794706416082],
[36439756010140137556111047750162544185710881404522379792044818039722752946048,
16497366583607480604161417644040292299204496829635795525393416854929276060989,
31479323495970113713816467604460499675889579912370034974841212556442942086146,
52327065242455117582590188333899352706031813782154293138553490341266149456684,
22462223600300108924276123720518708580622354327562062947406284488847554180931,
40996278729170725855966064159584167091102415184996744640950022676164065046834,
19430817579416357934148820670939901668848861606295052060308554899051486801548,
12483379002100433076591219143638049458199676871775181258981956241115974881163]
];
}
function D_16_to_1() {
return
[
[14981678621464625851270783002338847382197300714436467949315331057125308909900,
48720959343719104324739338388885839802998711550637402773896395605948383052052,
11709610427641952476226704950218052763560489079301307464225164120801969364960,
3188799073106888901912065951229864304299742047220134499402570163601813730969,
35055566170683830204685883433867693478135114051401583710007741398997412970579,
41969389849183863090802087476567191363990360356945841340095187311995419576515,
7556226394164164334481570938023506204252451033715203682883249970224239802922,
17176882240248932567902590122153974429675966351354956648777145117980813990398],
[28253420209785428420233456008091632509255652343634529984400816700490470131093,
6257781313532096835800460747082714697295034136932481743077166200794135826591,
11966422202069200811427605007493817363680804416274031195624148724039857787313,
8876022912542631074912834764773050492660953075192093830253524158063181475941,
52049674541477055908813163364458131823806820044102483998576800878704568506967,
6541832267666828237118069633374954748041800470865307468523599474646236580472,
45442960117610900571098429443573054134827707854155326784175634232674544930715,
42411304802662598148459339452254226615271657786988481684897413326989736031615],
[51511939407083344002778208487678590135577660247075600880835916725469990319313,
4386017178186728799761421274050927732938229436976005221436222062273391481632,
663227665329044490605880474899933274574966982371072793854806732105730575244,
7956955597245727322388196907364651338722736293265717471854714933795446618648,
25615413494197319129070770032476622018948872899826892271961489884914005459090,
44089542881006441891384034667061558189843302802581673885742427288293557612473,
1330235044321395925144992814935234051203536271783948441776912650379638572084,
50810734147355221866144137049300565722210413848092339398051685135286006925932],
[46291121544435738125248657675097664742296276807186696922340332893747842754587,
13820180736478645172746469075181304604729976364812127548341524461074783412926,
21821175320697611197161277831984495658213397245419754392657307036488476373765,
14806577897118234786495606424219372997573800509149076370951604526939593458489,
4121259770197377590627011188630352152939645167495297314189270176024564981500,
30919407268792259403824602884665561517383256626800433152413305048922095010897,
11976519627445173558098140421995318477384771169277877503279343325183821276781,
26967980286239502443715270897174999681242618240421470318851152333782809701734],
[3650460179273129580093806058710273018999560093475503119057680216309578390988,
40385222771838099109662234020243831589690223478794847201235014486200724862134,
20738601554725926373596082603265918636164823648026470243422423735982938342408,
25898290090014076279086638237202313571292864987698437102115051403552551578909,
17027208157180086391192319363486696710451739452640092116905432497642111659971,
45311967859890310071336359937788702458122841339624237957674250711373999964046,
30801797608226447725817644589434252152704077439970597211826393252750837255264,
46087155524659491087900373896182305256600235815109519358969365828449471244522],
[45802223370746268123059159806400152299867771061127345631244786118574025749328,
50306980075778262214155693291132052551559962723436936231611301042966928400825,
9105861908793877437599087016640061747418296780065295891365798855886560153752,
48177591413367409915642056167048753041735583848456612607691620273026228709602,
7479286918288249337458111273748279770690595088312775476065356516306801980629,
49779837246224071690294810803445084047795402193671669060746314363358914880825,
43223717601022172097383565523190027152080076863600432708834283672429421806147,
36115990427252817831519272511481477474123806352110831880569955844865152409554],
[11798621276624967315721748990709309216351696098813162382053396097866233042733,
34806952212038537244506031612074847133207330427265785757809673463434908473570,
10559431278588446438155840088055546145087872298641007742921718770142881700525,
2511742758961381498086249076485723904703122022711664665388729650078747694082,
13058778062050708618301726264166109369024922071632328984390918925338427847716,
22757381433196923491096449596295348042138602481479098385721617124187105273559,
50435973648847072778532507268536698366596569483938905568975979489192305153887,
9692044244906573895772196051455153467294816541497792469074445791662352057118],
[42372918959432199162670834641599336326433006968669415662488070504036922966492,
22755759419530071315007011572076166983660942447634027701351681157370705921018,
8881354201366797207686592249590682298565723459695719800911380560885170725516,
19725785152035256359574211351446161592903393017031483635806025440159666669692,
38586107420291196905731314141240110021641762437995069426543221562298184751450,
41983342504374430034240074906024700952180454895250182619374868616288213756381,
24699580977072888772599627764765708101597323007812082074548828715213834751707,
40903613549597429611399144365203839627850863176247809657126605147801691165582],
[52181371244193189669553521955614617990714056725501643636576377752669773323445,
30334172084294870556875274308904688414158741457854908094300017436690480001547,
35548861917762862971011720475855172816698712671893796030607658203859222685056,
23828822166916376664523534857031979764654878164406016294521947902346141831375,
9525926338952422609290893812113350942492558421053540078000977304624217008060,
51628644629799777637476595789175262638422034917782233018901952051044824901545,
10527109078832366866417586795816864610030244893563632007270266203664988878415,
11194215382192152257306835491684398858682370351821177979939632309447233186888],
[23791984554824031672195249524658580601428376029501889159059009332107176394097,
19832360622723392584029764807971325641132953515557801717644226271356492507876,
5370567718707734490084045178883836972105253285449736908577321570876055642415,
24072177097374519292068993110945703798030958684413852593268331853573451397392,
51092856030717857607132039047789240547482897962295861318467321833280572912593,
51610208211871924557451265725733951220616079019514789132032962359833072317205,
14800890894612002638570836260269548031587506768363863797633541619652896335116,
47927023617684282491494208201013569921672642612236042045401823798666133017562]
];
}

View File

@ -0,0 +1,56 @@
//test
pragma circom 2.1.9;
function C_2_to_1() {
return
[
39,
41362478282768062297187132445775312675360473883834860695283235286481594490621,
9548818195234740988996233204400874453525674173109474205108603996010297049928,
25365440569177822667580105183435418073995888230868180942004497015015045856900,
34023498397393406644117994167986720327178154686105264833093891093045919619309,
38816051319719761886041858113129205506758421478656182868737326994635468402951,
35167418087531820804128377095512663922179887277669504047069913414630376083753,
25885868839756469722325652387535232478219821850603640827385444642154834700231,
8867588811641202981080659274007552529205713737251862066053445622305818871963,
36439756010140137556111047750162544185710881404522379792044818039722752946048,
7788624504122357216765350546787885309160020166693449889975992574536033007374,
3134147137704626983201116226440762775442116005053282329971088789984415999550,
50252287380741824818995733304361249016282047978221591906573165442023106203143,
48434698978712278012409706205559577163572452744833134361195687109159129985373,
32960510617530186159512413633821386297955642598241661044178889571655571939473,
12850897859166761094422335671106280470381427571695744605265713866647560628356,
14578036872634298798382048587794204613583128573535557156943783762854124345644,
21588109842058901916690548710649523388049643745013696896704903154857389904594,
35731638686520516424752846654442973203189295883541072759390882351699754104989,
34141830003233180772153845227433233456603143306530920011579259084215824391544,
30272543670850635882116596228256005460817517173808721139136515002908946750291
];
}
function D_2_to_1() {
return
[
14981678621464625851270783002338847382197300714436467949315331057125308909900,
28253420209785428420233456008091632509255652343634529984400816700490470131093,
51511939407083344002778208487678590135577660247075600880835916725469990319313,
46291121544435738125248657675097664742296276807186696922340332893747842754587,
3650460179273129580093806058710273018999560093475503119057680216309578390988,
45802223370746268123059159806400152299867771061127345631244786118574025749328,
11798621276624967315721748990709309216351696098813162382053396097866233042733,
42372918959432199162670834641599336326433006968669415662488070504036922966492,
52181371244193189669553521955614617990714056725501643636576377752669773323445,
23791984554824031672195249524658580601428376029501889159059009332107176394097,
33342520831620303764059548442834699069640109058400548818586964467754352720368,
16791548253207744974576845515705461794133799104808996134617754018912057476556,
11087343419860825311828133337767238110556416596687749174422888171911517001265,
11931207770538477937808955037363240956790374856666237106403111503668796872571,
3296943608590459582451043049934874894049468383833500962645016062634514172805,
7080580976521357573320018355401935489220216583936865937104131954142364033647,
25990144965911478244481527888046366474489820502460615136523859419965697796405,
33907313384235729375566529911940467295099705980234607934575786561097199483218,
25996950265608465541351207283024962044374873682152889814392533334239395044136,
17878892320641464292190655092475335317049416605865175118054314040434534086821,
25443622609028754422863910981890932539396181992608938932620284900889552530362
];
}

View File

@ -0,0 +1,70 @@
//test
pragma circom 2.1.9;
function C_4_to_1() {
return
[
[39,
17756515227822460609684409997111995494590448775258437999344446424780281143353],
[41362478282768062297187132445775312675360473883834860695283235286481594490621,
3384073892082712848969991795331397937188893616190315628722966662742467187281],
[9548818195234740988996233204400874453525674173109474205108603996010297049928,
51311880822158488881090781617710146800056386303122657365679608608648067582435],
[25365440569177822667580105183435418073995888230868180942004497015015045856900,
29347609441914902330741511702270026847909178228078752565372729158237774700914],
[34023498397393406644117994167986720327178154686105264833093891093045919619309,
2339620320400167830454536231899316133967303509954474267430948538955691907104],
[38816051319719761886041858113129205506758421478656182868737326994635468402951,
27338042530319738113354246208426108832239651080023276643867223794985578055610],
[35167418087531820804128377095512663922179887277669504047069913414630376083753,
42192983528513372869128514327443204912824559545179630597589572656156258515752],
[25885868839756469722325652387535232478219821850603640827385444642154834700231,
42721818980548514490325424436763032046927347769153393863616095871384405840432],
[8867588811641202981080659274007552529205713737251862066053445622305818871963,
23473499332437056484066006746048591864129988909190267521144125882222313735740],
[36439756010140137556111047750162544185710881404522379792044818039722752946048,
16497366583607480604161417644040292299204496829635795525393416854929276060989],
[7788624504122357216765350546787885309160020166693449889975992574536033007374,
16727395967350522643500778393489915391834352737211416857240725807058479128000],
[3134147137704626983201116226440762775442116005053282329971088789984415999550,
46525506418681456193255596516104416743523037046982280449529426136392814992763],
[50252287380741824818995733304361249016282047978221591906573165442023106203143,
46030886964045328670650579467522042981756109464584907077434772786649263902996],
[48434698978712278012409706205559577163572452744833134361195687109159129985373,
19216533213230709497947223526297848065365334472367022650183395435586190711770]
];
}
function D_4_to_1() {
return
[
[14981678621464625851270783002338847382197300714436467949315331057125308909900,
48720959343719104324739338388885839802998711550637402773896395605948383052052],
[28253420209785428420233456008091632509255652343634529984400816700490470131093,
6257781313532096835800460747082714697295034136932481743077166200794135826591],
[51511939407083344002778208487678590135577660247075600880835916725469990319313,
4386017178186728799761421274050927732938229436976005221436222062273391481632],
[46291121544435738125248657675097664742296276807186696922340332893747842754587,
13820180736478645172746469075181304604729976364812127548341524461074783412926],
[3650460179273129580093806058710273018999560093475503119057680216309578390988,
40385222771838099109662234020243831589690223478794847201235014486200724862134],
[45802223370746268123059159806400152299867771061127345631244786118574025749328,
50306980075778262214155693291132052551559962723436936231611301042966928400825],
[11798621276624967315721748990709309216351696098813162382053396097866233042733,
34806952212038537244506031612074847133207330427265785757809673463434908473570],
[42372918959432199162670834641599336326433006968669415662488070504036922966492,
22755759419530071315007011572076166983660942447634027701351681157370705921018],
[52181371244193189669553521955614617990714056725501643636576377752669773323445,
30334172084294870556875274308904688414158741457854908094300017436690480001547],
[23791984554824031672195249524658580601428376029501889159059009332107176394097,
19832360622723392584029764807971325641132953515557801717644226271356492507876],
[33342520831620303764059548442834699069640109058400548818586964467754352720368,
5828182614154296575131381170785760240834851189333374788484657124381010655319],
[16791548253207744974576845515705461794133799104808996134617754018912057476556,
23729797853490401568967730686618146850735129707152853256809050789424668284094],
[11087343419860825311828133337767238110556416596687749174422888171911517001265,
22848708497596347027267124890363029002241440143993561170521113640580467699956],
[11931207770538477937808955037363240956790374856666237106403111503668796872571,
51131682674615117766578358255722474622484771145670260043231096654077231782319]
];
}

View File

@ -0,0 +1,49 @@
#!/bin/bash
set -e
TAU=../../../keys/powersOfTau20_BLS_final.ptau
circom "$1.circom" --r1cs --wasm -p bls12381
cd "$1_js/"
node generate_witness.js "$1.wasm" ../input.json ../witness.wtns
cd ..
rm -R "$1_js/"
snarkjs groth16 setup "$1.r1cs" $TAU circuit_0000.zkey -v
snarkjs zkey contribute circuit_0000.zkey circuit_0001.zkey --name="1st Contributor Name" -e="entropy" -v
snarkjs zkey beacon circuit_0001.zkey "$1.zkey" 0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 10 -n="Final Beacon phase2" -v
snarkjs zkey export verificationkey "$1.zkey" verification_key.json -v
rm circuit_0*
#for i in `seq 1 20`;
#do
# ../../../rapidsnark/package/bin/prover "$1.zkey" witness.wtns proof.json public.json
snarkjs groth16 prove "$1.zkey" witness.wtns proof.json public.json
#done
#start=$(date +%s%6N)
#for i in `seq 1 100`;
#do
snarkjs groth16 prove "$1.zkey" witness.wtns proof.json public.json
#../../../rapidsnark/package/bin/prover "$1.zkey" witness.wtns proof.json public.json
#done
#end=$(date +%s%6N)
rm witness.wtns
snarkjs groth16 verify verification_key.json public.json proof.json
#temps=$((($end-$start)/100))
#echo "Temps de la preuve: $temps micro secondes "
rm "$1.zkey"

@ -0,0 +1 @@
Subproject commit cff5ab6288b55ef23602221694a6a38a0239dcc0

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,301 @@
//test
pragma circom 2.1.9;
include "anemoi/anemoi_2_to_1_Jubjub.circom";
include "anemoi/anemoi_4_to_1_Jubjub.circom";
include "anemoi/anemoi_16_to_1_Jubjub.circom";
include "../../circomlib-master/circuits/bitify.circom";
template BLSLessThan(n) {
assert(n <= 253);
signal input in[2];
signal output out;
component n2b = Num2Bits(n+1);
n2b.in <== in[0]+ (1<<n) - in[1];
out <== 1-n2b.out[n];
}
template BLSNum2Bits_strict() {
signal input in;
signal output out[255];
component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528); // -1 - 2**254 (p-1 without its first bit)
component n2b = Num2Bits(255);
in ==> n2b.in;
for (var i=0; i<255; i++) {
n2b.out[i] ==> out[i];
if(i != 0){
n2b.out[i] ==> check_range.in[i-1];
}
}
check_range.out * (n2b.out[0]) === 0; //must be zero exept if the first bit is 0 => then in is on 254 bits and p-1 on 255
}
template BLSBits2Num_strict() {
signal input in[255];
signal output out;
component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528);
component b2n = Bits2Num(255);
for (var i=0; i<255; i++) {
in[i] ==> b2n.in[i];
if(i != 0){
in[i] ==> check_range.in[i-1];
}
}
check_range.out * in[0] === 0;
b2n.out ==> out;
}
template check_bits(n){
signal input bits[n];
for(var i=0; i<n; i++){
bits[i] * (1-bits[i]) === 0;
}
}
template check_lottery(){
signal input epoch_nonce;
signal input slot_number;
signal input t0;
signal input t1; // The precomputed threshold values
signal input constraints;
signal input value;
signal input unit;
signal input state;
signal input note_nonce;
signal input nullifier_secret_key;
signal input randomness;
component hash = hash_16_to_1();
//The b"lead" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 1818583396;
hash.in[1] <== epoch_nonce;
hash.in[2] <== slot_number;
hash.in[3] <== constraints;
hash.in[4] <== value;
hash.in[5] <== unit;
hash.in[6] <== state;
hash.in[7] <== note_nonce;
hash.in[8] <== nullifier_secret_key;
hash.in[9] <== randomness;
for(var i=10; i<16; i++){
hash.in[i] <== 0;
}
// As p-1 is divisible by 4, if X follows a uniform distribution between 0 and p-1
// Y = X % (p-1)/4 nearly follows a uniform distribution between 0 and ((p-1)/4)-1 (exept that 0 has 20% more chance to appear than another element which is negligible)
// So we transform the hash of a maximum of 255 to a hash of a maximum of 253 bits by taking its modulo
// (p-1)/4 = 13108968793781547619861935127046491459422638125131909455650914674984645296128
// TODO: check this part to ensure it is secure
signal quotient;
signal ticket;
quotient <-- hash.out \ 13108968793781547619861935127046491459422638125131909455650914674984645296128;
ticket <-- hash.out % 13108968793781547619861935127046491459422638125131909455650914674984645296128;
//check that quotient is 0,1,2 or 3
signal check_quotient[2];
check_quotient[0] <== quotient * (1-quotient);
check_quotient[1] <== (2-quotient)*(3-quotient);
check_quotient[0] * check_quotient[1] === 0;
//check the correctness of the division
ticket + quotient * 13108968793781547619861935127046491459422638125131909455650914674984645296128 === hash.out;
//check that the ticket is less than the divisor
component isLess = CompConstant(13108968793781547619861935127046491459422638125131909455650914674984645296128);
component bitifier = BLSNum2Bits_strict();
bitifier.in <== ticket;
bitifier.out[254] === 0;
for(var i=0; i<254; i++){
isLess.in[i] <== bitifier.out[i];
}
isLess.out === 0;
// Compute the threshold
signal intermediate_value;
signal threshold;
intermediate_value <== t0 + t1 * value;
threshold <== intermediate_value * value;
// Ensure that the ticket is winning
component isLess2 = BLSLessThan(253);
isLess2.in[0] <== ticket;
isLess2.in[1] <== threshold;
isLess2.out === 1;
}
template nullifier_computer(){
signal input note_nonce;
signal input nullifier_secret_key;
signal input value;
signal output nullifier;
component hash = hash_4_to_1();
//The b"coin-nullifier" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 2016785505923014207119328528655730;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_secret_key;
hash.in[3] <== value;
nullifier <== hash.out;
}
template commitment_computer(){
signal input note_nonce;
signal input nullifier_public_key;
signal input value;
signal output commitment;
component hash = hash_4_to_1();
//The b"coin-commitment" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 516297089516239580383111224192495220;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_public_key;
hash.in[3] <== value;
commitment <== hash.out;
}
template nonce_updater(){
signal input note_nonce;
signal input nullifier_secret_key;
signal output updated_nonce;
component hash = hash_4_to_1();
//The b"coin-evolve" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 120209783668687835891529317;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_secret_key;
hash.in[3] <== 0;
updated_nonce <== hash.out;
}
template membership_checker(){
signal input leaf; //The note commitment
signal input root; //The root of the Merkle Tree (of depth 32)
signal input index[32]; //Position of the note commitment in bits in big endian
signal input node[32]; //Complementary hashes
component hash[32];
for(var i=0; i<32; i++){
hash[i] = hash_2_to_1();
}
hash[0].in[0] <== leaf - index[31] * (leaf - node[0]);
hash[0].in[1] <== node[0] - index[31] * (node[0] - leaf);
for(var i=1; i<32; i++){
hash[i].in[0] <== hash[i-1].out - index[31-i] * (hash[i-1].out - node[i]);
hash[i].in[1] <== node[i] - index[31-i] * (node[i] - hash[i-1].out);
}
root === hash[31].out;
}
template anemoi_proof_of_leadership(){
signal input epoch_nonce; //F_p (BLS12-381 scalar field)
signal input slot_number; //F_p (BLS12-381 scalar field)
signal input t0; // Precomputed threshold elements in F_p
signal input t1;
signal input commitments_root;
// Note variables
signal input constraints; // Every note field represented as F_p elements for now (constraints are represented by their Merkle root)
signal input value;
signal input unit;
signal input state;
signal input note_nonce;
signal input nullifier_secret_key;
signal input randomness;
signal input index[32]; //Position of the note commitment in bits in big endian
signal input nodes[32]; //Merkle proof of the commitment
signal output nullifier;
signal output updated_commiment;
// Check that index inputs are indeed bits
component bit_checker = check_bits(32);
for(var i=0; i<32; i++){
bit_checker.bits[i] <== index[i];
}
// Check that r < threshold
component lottery_checker = check_lottery();
lottery_checker.epoch_nonce <== epoch_nonce;
lottery_checker.slot_number <== slot_number;
lottery_checker.t0 <== t0;
lottery_checker.t1 <== t1;
lottery_checker.constraints <== constraints;
lottery_checker.value <== value;
lottery_checker.unit <== unit;
lottery_checker.state <== state;
lottery_checker.note_nonce <== note_nonce;
lottery_checker.nullifier_secret_key <== nullifier_secret_key;
lottery_checker.randomness <== randomness;
// Compute the note commitment
component note_committer = commitment_computer();
note_committer.note_nonce <== note_nonce;
note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
note_committer.value <== value;
// Check the commitment membership
component membership_checker = membership_checker();
membership_checker.leaf <== note_committer.commitment;
membership_checker.root <== commitments_root;
for(var i =0; i<32; i++){
membership_checker.index[i] <== index[i];
membership_checker.node[i] <== nodes[i];
}
// Compute the note nullifier
component nullifier_computer = nullifier_computer();
nullifier_computer.note_nonce <== note_nonce;
nullifier_computer.nullifier_secret_key <== nullifier_secret_key;
nullifier_computer.value <== value;
nullifier <== nullifier_computer.nullifier;
// Compute the evolved nonce
component nonce_updater = nonce_updater();
nonce_updater.note_nonce <== note_nonce;
nonce_updater.nullifier_secret_key <== nullifier_secret_key;
// Compute the new note commitment
component updated_note_committer = commitment_computer();
updated_note_committer.note_nonce <== nonce_updater.updated_nonce;
updated_note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
updated_note_committer.value <== value;
updated_commiment <== updated_note_committer.commitment;
}
component main {public [epoch_nonce, slot_number, t0, t1, commitments_root]} = anemoi_proof_of_leadership();

View File

@ -0,0 +1,317 @@
//test
pragma circom 2.1.9;
include "anemoi/anemoi_2_to_1_Jubjub.circom";
include "anemoi/anemoi_4_to_1_Jubjub.circom";
include "anemoi/anemoi_16_to_1_Jubjub.circom";
include "../../circomlib-master/circuits/bitify.circom";
include "../../circomlib-master/circuits/sha256/sha256.circom";
template BLSLessThan(n) {
assert(n <= 253);
signal input in[2];
signal output out;
component n2b = Num2Bits(n+1);
n2b.in <== in[0]+ (1<<n) - in[1];
out <== 1-n2b.out[n];
}
template BLSNum2Bits_strict() {
signal input in;
signal output out[255];
component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528); // -1 - 2**254 (p-1 without its first bit)
component n2b = Num2Bits(255);
in ==> n2b.in;
for (var i=0; i<255; i++) {
n2b.out[i] ==> out[i];
if(i != 0){
n2b.out[i] ==> check_range.in[i-1];
}
}
check_range.out * (n2b.out[0]) === 0; //must be zero exept if the first bit is 0 => then in is on 254 bits and p-1 on 255
}
template BLSBits2Num_strict() {
signal input in[255];
signal output out;
component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528);
component b2n = Bits2Num(255);
for (var i=0; i<255; i++) {
in[i] ==> b2n.in[i];
if(i != 0){
in[i] ==> check_range.in[i-1];
}
}
check_range.out * in[0] === 0;
b2n.out ==> out;
}
template check_bits(n){
signal input bits[n];
for(var i=0; i<n; i++){
bits[i] * (1-bits[i]) === 0;
}
}
template check_lottery(){
signal input epoch_nonce;
signal input slot_number;
signal input t0;
signal input t1; // The precomputed threshold values
signal input constraints;
signal input value;
signal input unit;
signal input state;
signal input note_nonce;
signal input nullifier_secret_key;
signal input randomness;
component hash = Sha256(2336);
component bitifier[9];
for(var i=0; i<9; i++){
bitifier[i] = BLSNum2Bits_strict();
}
bitifier[0].in <== epoch_nonce;
bitifier[1].in <== slot_number;
bitifier[2].in <== constraints;
bitifier[3].in <== value;
bitifier[4].in <== unit;
bitifier[5].in <== state;
bitifier[6].in <== note_nonce;
bitifier[7].in <== nullifier_secret_key;
bitifier[8].in <== randomness;
//The b"lead" Tag in bits with big endian order
hash.in[0] <== 0;
hash.in[1] <== 1;
hash.in[2] <== 1;
hash.in[3] <== 0;
hash.in[4] <== 1;
hash.in[5] <== 1;
hash.in[6] <== 0;
hash.in[7] <== 0;
hash.in[8] <== 0;
hash.in[9] <== 1;
hash.in[10] <== 1;
hash.in[11] <== 0;
hash.in[12] <== 0;
hash.in[13] <== 1;
hash.in[14] <== 0;
hash.in[15] <== 1;
hash.in[16] <== 0;
hash.in[17] <== 1;
hash.in[18] <== 1;
hash.in[19] <== 0;
hash.in[20] <== 0;
hash.in[21] <== 0;
hash.in[22] <== 0;
hash.in[23] <== 1;
hash.in[24] <== 0;
hash.in[25] <== 1;
hash.in[26] <== 1;
hash.in[27] <== 0;
hash.in[28] <== 0;
hash.in[29] <== 1;
hash.in[30] <== 0;
hash.in[31] <== 0;
for(var i=0; i<256; i++){
for(var j=0; j<9; j++){
if(i != 0){
hash.in[32+256*j+i] <== bitifier[j].out[255-i];
} else {
hash.in[32+256*j] <== 0;
}
}
}
component intifier = Bits2Num(253); //Because if the scalar field is 255 bits, we support every number of 254 bits (not all of 255) and we can only compare numbers of 253 bits since we need 1 bit for sign.
for(var i=0; i<253; i++){
intifier.in[i] <== hash.out[253-i];
}
// Compute the threshold
signal intermediate_value;
signal threshold;
intermediate_value <== t0 + t1 * value;
threshold <== intermediate_value * value;
// Ensure that the ticket is winning
component isLess2 = BLSLessThan(253);
isLess2.in[0] <== intifier.out;
isLess2.in[1] <== threshold;
isLess2.out === 1;
}
template nullifier_computer(){
signal input note_nonce;
signal input nullifier_secret_key;
signal input value;
signal output nullifier;
component hash = hash_4_to_1();
//The b"coin-nullifier" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 2016785505923014207119328528655730;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_secret_key;
hash.in[3] <== value;
nullifier <== hash.out;
}
template commitment_computer(){
signal input note_nonce;
signal input nullifier_public_key;
signal input value;
signal output commitment;
component hash = hash_4_to_1();
//The b"coin-commitment" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 516297089516239580383111224192495220;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_public_key;
hash.in[3] <== value;
commitment <== hash.out;
}
template nonce_updater(){
signal input note_nonce;
signal input nullifier_secret_key;
signal output updated_nonce;
component hash = hash_4_to_1();
//The b"coin-evolve" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 120209783668687835891529317;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_secret_key;
hash.in[3] <== 0;
updated_nonce <== hash.out;
}
template membership_checker(){
signal input leaf; //The note commitment
signal input root; //The root of the Merkle Tree (of depth 32)
signal input index[32]; //Position of the note commitment in bits in big endian
signal input node[32]; //Complementary hashes
component hash[32];
for(var i=0; i<32; i++){
hash[i] = hash_2_to_1();
}
hash[0].in[0] <== leaf - index[31] * (leaf - node[0]);
hash[0].in[1] <== node[0] - index[31] * (node[0] - leaf);
for(var i=1; i<32; i++){
hash[i].in[0] <== hash[i-1].out - index[31-i] * (hash[i-1].out - node[i]);
hash[i].in[1] <== node[i] - index[31-i] * (node[i] - hash[i-1].out);
}
root === hash[31].out;
}
template anemoi_sha_proof_of_leadership(){
signal input epoch_nonce; //F_p (BLS12-381 scalar field)
signal input slot_number; //F_p (BLS12-381 scalar field)
signal input t0; // Precomputed threshold elements in F_p
signal input t1;
signal input commitments_root;
// Note variables
signal input constraints; // Every note field represented as F_p elements for now (constraints are represented by their Merkle root)
signal input value;
signal input unit;
signal input state;
signal input note_nonce;
signal input nullifier_secret_key;
signal input randomness;
signal input index[32]; //Position of the note commitment in bits in big endian
signal input nodes[32]; //Merkle proof of the commitment
signal output nullifier;
signal output updated_commiment;
// Check that index inputs are indeed bits
component bit_checker = check_bits(32);
for(var i=0; i<32; i++){
bit_checker.bits[i] <== index[i];
}
// Check that r < threshold
component lottery_checker = check_lottery();
lottery_checker.epoch_nonce <== epoch_nonce;
lottery_checker.slot_number <== slot_number;
lottery_checker.t0 <== t0;
lottery_checker.t1 <== t1;
lottery_checker.constraints <== constraints;
lottery_checker.value <== value;
lottery_checker.unit <== unit;
lottery_checker.state <== state;
lottery_checker.note_nonce <== note_nonce;
lottery_checker.nullifier_secret_key <== nullifier_secret_key;
lottery_checker.randomness <== randomness;
// Compute the note commitment
component note_committer = commitment_computer();
note_committer.note_nonce <== note_nonce;
note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
note_committer.value <== value;
// Check the commitment membership
component membership_checker = membership_checker();
membership_checker.leaf <== note_committer.commitment;
membership_checker.root <== commitments_root;
for(var i =0; i<32; i++){
membership_checker.index[i] <== index[i];
membership_checker.node[i] <== nodes[i];
}
// Compute the note nullifier
component nullifier_computer = nullifier_computer();
nullifier_computer.note_nonce <== note_nonce;
nullifier_computer.nullifier_secret_key <== nullifier_secret_key;
nullifier_computer.value <== value;
nullifier <== nullifier_computer.nullifier;
// Compute the evolved nonce
component nonce_updater = nonce_updater();
nonce_updater.note_nonce <== note_nonce;
nonce_updater.nullifier_secret_key <== nullifier_secret_key;
// Compute the new note commitment
component updated_note_committer = commitment_computer();
updated_note_committer.note_nonce <== nonce_updater.updated_nonce;
updated_note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
updated_note_committer.value <== value;
updated_commiment <== updated_note_committer.commitment;
}
component main {public [epoch_nonce, slot_number, t0, t1, commitments_root]} = anemoi_sha_proof_of_leadership();

View File

@ -0,0 +1,301 @@
//test
pragma circom 2.1.9;
include "poseidon/poseidon_2_to_1_Jubjub.circom";
include "poseidon/poseidon_4_to_1_Jubjub.circom";
include "poseidon/poseidon_16_to_1_Jubjub.circom";
include "../../circomlib-master/circuits/bitify.circom";
template BLSLessThan(n) {
assert(n <= 253);
signal input in[2];
signal output out;
component n2b = Num2Bits(n+1);
n2b.in <== in[0]+ (1<<n) - in[1];
out <== 1-n2b.out[n];
}
template BLSNum2Bits_strict() {
signal input in;
signal output out[255];
// Ensure that out is lower than p
component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528); // -1 - 2**254 (p-1 without its first bit)
component n2b = Num2Bits(255);
in ==> n2b.in;
for (var i=0; i<255; i++) {
n2b.out[i] ==> out[i];
if(i != 0){
n2b.out[i] ==> check_range.in[i-1];
}
}
check_range.out * (n2b.out[0]) === 0; //must be zero exept if the first bit is 0 => then in is on 254 bits and p-1 on 255
}
template BLSBits2Num_strict() {
signal input in[255];
signal output out;
//ensure that in is not greater than p
component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528);
component b2n = Bits2Num(255);
for (var i=0; i<255; i++) {
in[i] ==> b2n.in[i];
if(i != 0){
in[i] ==> check_range.in[i-1];
}
}
check_range.out * in[0] === 0;
b2n.out ==> out;
}
template check_bits(n){
signal input bits[n];
for(var i=0; i<n; i++){
bits[i] * (1-bits[i]) === 0;
}
}
template check_lottery(){
signal input epoch_nonce;
signal input slot_number;
signal input t0;
signal input t1; // The precomputed threshold values
signal input constraints;
signal input value;
signal input unit;
signal input state;
signal input note_nonce;
signal input nullifier_secret_key;
signal input randomness;
component hash = hash_16_to_1();
//The b"lead" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 1818583396;
hash.in[1] <== epoch_nonce;
hash.in[2] <== slot_number;
hash.in[3] <== constraints;
hash.in[4] <== value;
hash.in[5] <== unit;
hash.in[6] <== state;
hash.in[7] <== note_nonce;
hash.in[8] <== nullifier_secret_key;
hash.in[9] <== randomness;
for(var i=10; i<16; i++){
hash.in[i] <== 0;
}
// As p-1 is divisible by 4, if X follows a uniform distribution between 0 and p-1
// Y = X % (p-1)/4 nearly follows a uniform distribution between 0 and ((p-1)/4)-1 (exept that 0 has 20% more chance to appear than another element which is negligible)
// So we transform the hash of a maximum of 255 to a hash of a maximum of 253 bits by taking its modulo
// (p-1)/4 = 13108968793781547619861935127046491459422638125131909455650914674984645296128
// TODO: check this part to ensure it is secure
signal quotient;
signal ticket;
quotient <-- hash.out \ 13108968793781547619861935127046491459422638125131909455650914674984645296128;
ticket <-- hash.out % 13108968793781547619861935127046491459422638125131909455650914674984645296128;
//check that quotient is 0,1,2 or 3
signal check_quotient[2];
check_quotient[0] <== quotient * (1-quotient);
check_quotient[1] <== (2-quotient)*(3-quotient);
check_quotient[0] * check_quotient[1] === 0;
//check the correctness of the division
ticket + quotient * 13108968793781547619861935127046491459422638125131909455650914674984645296128 === hash.out;
//check that the ticket is less than the divisor
component isLess = CompConstant(13108968793781547619861935127046491459422638125131909455650914674984645296128);
component bitifier = BLSNum2Bits_strict();
bitifier.in <== ticket;
bitifier.out[254] === 0;
for(var i=0; i<254; i++){
isLess.in[i] <== bitifier.out[i];
}
isLess.out === 0;
// Compute the threshold
signal intermediate_value;
signal threshold;
intermediate_value <== t0 + t1 * value;
threshold <== intermediate_value * value;
// Ensure that the ticket is indeed 253 bits and that the ticket is winning
component isLess2 = BLSLessThan(253);
isLess2.in[0] <== ticket;
isLess2.in[1] <== threshold;
isLess2.out === 1;
}
template nullifier_computer(){
signal input note_nonce;
signal input nullifier_secret_key;
signal input value;
signal output nullifier;
component hash = hash_4_to_1();
//The b"coin-nullifier" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 2016785505923014207119328528655730;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_secret_key;
hash.in[3] <== value;
nullifier <== hash.out;
}
template commitment_computer(){
signal input note_nonce;
signal input nullifier_public_key;
signal input value;
signal output commitment;
component hash = hash_4_to_1();
//The b"coin-commitment" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 516297089516239580383111224192495220;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_public_key;
hash.in[3] <== value;
commitment <== hash.out;
}
template nonce_updater(){
signal input note_nonce;
signal input nullifier_secret_key;
signal output updated_nonce;
component hash = hash_4_to_1();
//The b"coin-evolve" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 120209783668687835891529317;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_secret_key;
hash.in[3] <== 0;
updated_nonce <== hash.out;
}
template membership_checker(){
signal input leaf; //The note commitment
signal input root; //The root of the Merkle Tree (of depth 32)
signal input index[32]; //Position of the note commitment in bits in big endian
signal input node[32]; //Complementary hashes
component hash[32];
for(var i=0; i<32; i++){
hash[i] = hash_2_to_1();
}
hash[0].in[0] <== leaf - index[31] * (leaf - node[0]);
hash[0].in[1] <== node[0] - index[31] * (node[0] - leaf);
for(var i=1; i<32; i++){
hash[i].in[0] <== hash[i-1].out - index[31-i] * (hash[i-1].out - node[i]);
hash[i].in[1] <== node[i] - index[31-i] * (node[i] - hash[i-1].out);
}
root === hash[31].out;
}
template poseidon_proof_of_leadership(){
signal input epoch_nonce; //F_p (BLS12-381 scalar field)
signal input slot_number; //F_p (BLS12-381 scalar field)
signal input t0; // Precomputed threshold elements in F_p
signal input t1;
signal input commitments_root;
// Note variables
signal input constraints; // Every note field represented as F_p elements for now (constraints are represented by their Merkle root)
signal input value;
signal input unit;
signal input state;
signal input note_nonce;
signal input nullifier_secret_key;
signal input randomness;
signal input index[32]; //Position of the note commitment in bits in big endian
signal input nodes[32]; //Merkle proof of the commitment
signal output nullifier;
signal output updated_commiment;
// Check that index inputs are indeed bits
component bit_checker = check_bits(32);
for(var i=0; i<32; i++){
bit_checker.bits[i] <== index[i];
}
// Check that r < threshold
component lottery_checker = check_lottery();
lottery_checker.epoch_nonce <== epoch_nonce;
lottery_checker.slot_number <== slot_number;
lottery_checker.t0 <== t0;
lottery_checker.t1 <== t1;
lottery_checker.constraints <== constraints;
lottery_checker.value <== value;
lottery_checker.unit <== unit;
lottery_checker.state <== state;
lottery_checker.note_nonce <== note_nonce;
lottery_checker.nullifier_secret_key <== nullifier_secret_key;
lottery_checker.randomness <== randomness;
// Compute the note commitment
component note_committer = commitment_computer();
note_committer.note_nonce <== note_nonce;
note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
note_committer.value <== value;
// Check the commitment membership
component membership_checker = membership_checker();
membership_checker.leaf <== note_committer.commitment;
membership_checker.root <== commitments_root;
for(var i =0; i<32; i++){
membership_checker.index[i] <== index[i];
membership_checker.node[i] <== nodes[i];
}
// Compute the note nullifier
component nullifier_computer = nullifier_computer();
nullifier_computer.note_nonce <== note_nonce;
nullifier_computer.nullifier_secret_key <== nullifier_secret_key;
nullifier_computer.value <== value;
nullifier <== nullifier_computer.nullifier;
// Compute the evolved nonce
component nonce_updater = nonce_updater();
nonce_updater.note_nonce <== note_nonce;
nonce_updater.nullifier_secret_key <== nullifier_secret_key;
// Compute the new note commitment
component updated_note_committer = commitment_computer();
updated_note_committer.note_nonce <== nonce_updater.updated_nonce;
updated_note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
updated_note_committer.value <== value;
updated_commiment <== updated_note_committer.commitment;
}
component main {public [epoch_nonce, slot_number, t0, t1, commitments_root]} = poseidon_proof_of_leadership();

View File

@ -0,0 +1,318 @@
//test
pragma circom 2.1.9;
include "poseidon/poseidon_2_to_1_Jubjub.circom";
include "poseidon/poseidon_4_to_1_Jubjub.circom";
include "poseidon/poseidon_16_to_1_Jubjub.circom";
include "../../circomlib-master/circuits/bitify.circom";
include "../../circomlib-master/circuits/sha256/sha256.circom";
template BLSLessThan(n) {
assert(n <= 253);
signal input in[2];
signal output out;
component n2b = Num2Bits(n+1);
n2b.in <== in[0]+ (1<<n) - in[1];
out <== 1-n2b.out[n];
}
template BLSNum2Bits_strict() {
signal input in;
signal output out[255];
// Ensure that out is lower than p
component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528); // -1 - 2**254 (p-1 without its first bit)
component n2b = Num2Bits(255);
in ==> n2b.in;
for (var i=0; i<255; i++) {
n2b.out[i] ==> out[i];
if(i != 0){
n2b.out[i] ==> check_range.in[i-1];
}
}
check_range.out * (n2b.out[0]) === 0; //must be zero exept if the first bit is 0 => then in is on 254 bits and p-1 on 255
}
template BLSBits2Num_strict() {
signal input in[255];
signal output out;
//ensure that in is not greater than p
component check_range = CompConstant(23487852865797141623554994256013988874373056334117496812739262697960298774528);
component b2n = Bits2Num(255);
for (var i=0; i<255; i++) {
in[i] ==> b2n.in[i];
if(i != 0){
in[i] ==> check_range.in[i-1];
}
}
check_range.out * in[0] === 0;
b2n.out ==> out;
}
template check_bits(n){
signal input bits[n];
for(var i=0; i<n; i++){
bits[i] * (1-bits[i]) === 0;
}
}
template check_lottery(){
signal input epoch_nonce;
signal input slot_number;
signal input t0;
signal input t1; // The precomputed threshold values
signal input constraints;
signal input value;
signal input unit;
signal input state;
signal input note_nonce;
signal input nullifier_secret_key;
signal input randomness;
component hash = Sha256(2336);
component bitifier[9];
for(var i=0; i<9; i++){
bitifier[i] = BLSNum2Bits_strict();
}
bitifier[0].in <== epoch_nonce;
bitifier[1].in <== slot_number;
bitifier[2].in <== constraints;
bitifier[3].in <== value;
bitifier[4].in <== unit;
bitifier[5].in <== state;
bitifier[6].in <== note_nonce;
bitifier[7].in <== nullifier_secret_key;
bitifier[8].in <== randomness;
//The b"lead" Tag in bits with big endian order
hash.in[0] <== 0;
hash.in[1] <== 1;
hash.in[2] <== 1;
hash.in[3] <== 0;
hash.in[4] <== 1;
hash.in[5] <== 1;
hash.in[6] <== 0;
hash.in[7] <== 0;
hash.in[8] <== 0;
hash.in[9] <== 1;
hash.in[10] <== 1;
hash.in[11] <== 0;
hash.in[12] <== 0;
hash.in[13] <== 1;
hash.in[14] <== 0;
hash.in[15] <== 1;
hash.in[16] <== 0;
hash.in[17] <== 1;
hash.in[18] <== 1;
hash.in[19] <== 0;
hash.in[20] <== 0;
hash.in[21] <== 0;
hash.in[22] <== 0;
hash.in[23] <== 1;
hash.in[24] <== 0;
hash.in[25] <== 1;
hash.in[26] <== 1;
hash.in[27] <== 0;
hash.in[28] <== 0;
hash.in[29] <== 1;
hash.in[30] <== 0;
hash.in[31] <== 0;
for(var i=0; i<256; i++){
for(var j=0; j<9; j++){
if(i != 0){
hash.in[32+256*j+i] <== bitifier[j].out[255-i];
} else {
hash.in[32+256*j] <== 0;
}
}
}
component intifier = Bits2Num(253); //Because if the scalar field is 255 bits, we support every number of 254 bits (not all of 255) and we can only compare numbers of 253 bits since we need 1 bit for sign.
for(var i=0; i<253; i++){
intifier.in[i] <== hash.out[253-i];
}
// Compute the threshold
signal intermediate_value;
signal threshold;
intermediate_value <== t0 + t1 * value;
threshold <== intermediate_value * value;
// Ensure that the ticket is winning
component isLess2 = BLSLessThan(253);
isLess2.in[0] <== intifier.out;
isLess2.in[1] <== threshold;
//isLess2.out === 1;
}
template nullifier_computer(){
signal input note_nonce;
signal input nullifier_secret_key;
signal input value;
signal output nullifier;
component hash = hash_4_to_1();
//The b"coin-nullifier" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 2016785505923014207119328528655730;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_secret_key;
hash.in[3] <== value;
nullifier <== hash.out;
}
template commitment_computer(){
signal input note_nonce;
signal input nullifier_public_key;
signal input value;
signal output commitment;
component hash = hash_4_to_1();
//The b"coin-commitment" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 516297089516239580383111224192495220;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_public_key;
hash.in[3] <== value;
commitment <== hash.out;
}
template nonce_updater(){
signal input note_nonce;
signal input nullifier_secret_key;
signal output updated_nonce;
component hash = hash_4_to_1();
//The b"coin-evolve" Tag converted in F_p element (from bits with big endian order)
hash.in[0] <== 120209783668687835891529317;
hash.in[1] <== note_nonce;
hash.in[2] <== nullifier_secret_key;
hash.in[3] <== 0;
updated_nonce <== hash.out;
}
template membership_checker(){
signal input leaf; //The note commitment
signal input root; //The root of the Merkle Tree (of depth 32)
signal input index[32]; //Position of the note commitment in bits in big endian
signal input node[32]; //Complementary hashes
component hash[32];
for(var i=0; i<32; i++){
hash[i] = hash_2_to_1();
}
hash[0].in[0] <== leaf - index[31] * (leaf - node[0]);
hash[0].in[1] <== node[0] - index[31] * (node[0] - leaf);
for(var i=1; i<32; i++){
hash[i].in[0] <== hash[i-1].out - index[31-i] * (hash[i-1].out - node[i]);
hash[i].in[1] <== node[i] - index[31-i] * (node[i] - hash[i-1].out);
}
//root === hash[31].out;
}
template poseidon_sha_proof_of_leadership(){
signal input epoch_nonce; //F_p (BLS12-381 scalar field)
signal input slot_number; //F_p (BLS12-381 scalar field)
signal input t0; // Precomputed threshold elements in F_p
signal input t1;
signal input commitments_root;
// Note variables
signal input constraints; // Every note field represented as F_p elements for now (constraints are represented by their Merkle root)
signal input value;
signal input unit;
signal input state;
signal input note_nonce;
signal input nullifier_secret_key;
signal input randomness;
signal input index[32]; //Position of the note commitment in bits in big endian
signal input nodes[32]; //Merkle proof of the commitment
signal output nullifier;
signal output updated_commiment;
// Check that index inputs are indeed bits
component bit_checker = check_bits(32);
for(var i=0; i<32; i++){
bit_checker.bits[i] <== index[i];
}
// Check that r < threshold
component lottery_checker = check_lottery();
lottery_checker.epoch_nonce <== epoch_nonce;
lottery_checker.slot_number <== slot_number;
lottery_checker.t0 <== t0;
lottery_checker.t1 <== t1;
lottery_checker.constraints <== constraints;
lottery_checker.value <== value;
lottery_checker.unit <== unit;
lottery_checker.state <== state;
lottery_checker.note_nonce <== note_nonce;
lottery_checker.nullifier_secret_key <== nullifier_secret_key;
lottery_checker.randomness <== randomness;
// Compute the note commitment
component note_committer = commitment_computer();
note_committer.note_nonce <== note_nonce;
note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
note_committer.value <== value;
// Check the commitment membership
component membership_checker = membership_checker();
membership_checker.leaf <== note_committer.commitment;
membership_checker.root <== commitments_root;
for(var i =0; i<32; i++){
membership_checker.index[i] <== index[i];
membership_checker.node[i] <== nodes[i];
}
// Compute the note nullifier
component nullifier_computer = nullifier_computer();
nullifier_computer.note_nonce <== note_nonce;
nullifier_computer.nullifier_secret_key <== nullifier_secret_key;
nullifier_computer.value <== value;
nullifier <== nullifier_computer.nullifier;
// Compute the evolved nonce
component nonce_updater = nonce_updater();
nonce_updater.note_nonce <== note_nonce;
nonce_updater.nullifier_secret_key <== nullifier_secret_key;
// Compute the new note commitment
component updated_note_committer = commitment_computer();
updated_note_committer.note_nonce <== nonce_updater.updated_nonce;
updated_note_committer.nullifier_public_key <== nullifier_secret_key; // TODO: reflect the nullifier public key computation later when defined
updated_note_committer.value <== value;
updated_commiment <== updated_note_committer.commitment;
}
component main {public [epoch_nonce, slot_number, t0, t1, commitments_root]} = poseidon_sha_proof_of_leadership();

View File

@ -0,0 +1,683 @@
//test
pragma circom 2.1.9;
include "../../circomlib-master/circuits/sha256/sha256.circom";
include "../../circomlib-master/circuits/bitify.circom";
template BLSLessThan(n) {
assert(n <= 253);
signal input in[2];
signal output out;
component n2b = Num2Bits(n+1);
n2b.in <== in[0]+ (1<<n) - in[1];
out <== 1-n2b.out[n];
}
template lottery_ticket() {
signal input epoch_nonce[256]; //F_p (BLS12-381 scalar field)
signal input slot_number[64]; //F_p (BLS12-381 scalar field)
signal input note_nonce[256];
signal input nullifier_secret_key[256];
signal output r; //The lottery ticket in F_p
component hash = Sha256(864);
//The b"lead" Tag in bits with big endian order
hash.in[0] <== 0;
hash.in[1] <== 1;
hash.in[2] <== 1;
hash.in[3] <== 0;
hash.in[4] <== 1;
hash.in[5] <== 1;
hash.in[6] <== 0;
hash.in[7] <== 0;
hash.in[8] <== 0;
hash.in[9] <== 1;
hash.in[10] <== 1;
hash.in[11] <== 0;
hash.in[12] <== 0;
hash.in[13] <== 1;
hash.in[14] <== 0;
hash.in[15] <== 1;
hash.in[16] <== 0;
hash.in[17] <== 1;
hash.in[18] <== 1;
hash.in[19] <== 0;
hash.in[20] <== 0;
hash.in[21] <== 0;
hash.in[22] <== 0;
hash.in[23] <== 1;
hash.in[24] <== 0;
hash.in[25] <== 1;
hash.in[26] <== 1;
hash.in[27] <== 0;
hash.in[28] <== 0;
hash.in[29] <== 1;
hash.in[30] <== 0;
hash.in[31] <== 0;
for(var i=0; i<256; i++){
hash.in[32+i] <== epoch_nonce[i];
if(i<64){
hash.in[288+i] <== slot_number[i];
}
hash.in[352+i] <== nullifier_secret_key[i];
hash.in[608+i] <== note_nonce[i];
}
component intifier = Bits2Num(253); //Because if the scalar field is 255 bits, we support every number of 254 bits (not all of 255) and we can only compare numbers of 253 bits since we need 1 bit for sign.
for(var i=0; i<253; i++){
intifier.in[i] <== hash.out[253-i];
}
r <== intifier.out;
}
template check_lottery(){
signal input pre_computed_threshold; //253 bits
signal input v; //253 bits max
signal input epoch_nonce[256];
signal input slot_number[64];
signal input nullifier_secret_key[256];
signal input note_nonce[256];
component ticket = lottery_ticket();
for(var i=0; i<256; i++){
ticket.epoch_nonce[i] <== epoch_nonce[i];
if(i<64){
ticket.slot_number[i] <== slot_number[i];
}
ticket.nullifier_secret_key[i] <== nullifier_secret_key[i];
ticket.note_nonce[i] <== note_nonce[i];
}
component isLess = BLSLessThan(253);
isLess.in[0] <== ticket.r;
isLess.in[1] <== pre_computed_threshold * v;
//isLess.out === 1;
}
template nullifier_computer(){
signal input note_nonce[256];
signal input nullifier_public_key[256];
signal input v[256];
signal output nullifier[256];
component hash = Sha256(880);
//The b"coin-nullifier" Tag in bits with big endian order
hash.in[0] <== 0;
hash.in[1] <== 1;
hash.in[2] <== 1;
hash.in[3] <== 0;
hash.in[4] <== 0;
hash.in[5] <== 0;
hash.in[6] <== 1;
hash.in[7] <== 1;
hash.in[8] <== 0;
hash.in[9] <== 1;
hash.in[10] <== 1;
hash.in[11] <== 0;
hash.in[12] <== 1;
hash.in[13] <== 1;
hash.in[14] <== 1;
hash.in[15] <== 1;
hash.in[16] <== 0;
hash.in[17] <== 1;
hash.in[18] <== 1;
hash.in[19] <== 0;
hash.in[20] <== 1;
hash.in[21] <== 0;
hash.in[22] <== 0;
hash.in[23] <== 1;
hash.in[24] <== 0;
hash.in[25] <== 1;
hash.in[26] <== 1;
hash.in[27] <== 0;
hash.in[28] <== 1;
hash.in[29] <== 1;
hash.in[30] <== 1;
hash.in[31] <== 0;
hash.in[32] <== 0;
hash.in[33] <== 0;
hash.in[34] <== 1;
hash.in[35] <== 0;
hash.in[36] <== 1;
hash.in[37] <== 1;
hash.in[38] <== 0;
hash.in[39] <== 1;
hash.in[40] <== 0;
hash.in[41] <== 1;
hash.in[42] <== 1;
hash.in[43] <== 0;
hash.in[44] <== 1;
hash.in[45] <== 1;
hash.in[46] <== 1;
hash.in[47] <== 0;
hash.in[48] <== 0;
hash.in[49] <== 1;
hash.in[50] <== 1;
hash.in[51] <== 1;
hash.in[52] <== 0;
hash.in[53] <== 1;
hash.in[54] <== 0;
hash.in[55] <== 1;
hash.in[56] <== 0;
hash.in[57] <== 1;
hash.in[58] <== 1;
hash.in[59] <== 0;
hash.in[60] <== 1;
hash.in[61] <== 1;
hash.in[62] <== 0;
hash.in[63] <== 0;
hash.in[64] <== 0;
hash.in[65] <== 1;
hash.in[66] <== 1;
hash.in[67] <== 0;
hash.in[68] <== 1;
hash.in[69] <== 1;
hash.in[70] <== 0;
hash.in[71] <== 0;
hash.in[72] <== 0;
hash.in[73] <== 1;
hash.in[74] <== 1;
hash.in[75] <== 0;
hash.in[76] <== 1;
hash.in[77] <== 0;
hash.in[78] <== 0;
hash.in[79] <== 1;
hash.in[80] <== 0;
hash.in[81] <== 1;
hash.in[82] <== 1;
hash.in[83] <== 0;
hash.in[84] <== 0;
hash.in[85] <== 1;
hash.in[86] <== 1;
hash.in[87] <== 0;
hash.in[88] <== 0;
hash.in[89] <== 1;
hash.in[90] <== 1;
hash.in[91] <== 0;
hash.in[92] <== 1;
hash.in[93] <== 0;
hash.in[94] <== 0;
hash.in[95] <== 1;
hash.in[96] <== 0;
hash.in[97] <== 1;
hash.in[98] <== 1;
hash.in[99] <== 0;
hash.in[100] <== 0;
hash.in[101] <== 1;
hash.in[102] <== 0;
hash.in[103] <== 1;
hash.in[104] <== 0;
hash.in[105] <== 1;
hash.in[106] <== 1;
hash.in[107] <== 1;
hash.in[108] <== 0;
hash.in[109] <== 0;
hash.in[110] <== 1;
hash.in[111] <== 0;
for(var i=0; i<256; i++){
hash.in[112+i] <== note_nonce[i];
hash.in[368+i] <== nullifier_public_key[i];
hash.in[624+i] <== v[i];
}
for(var i=0; i<256; i++){
nullifier[i] <== hash.out[i];
}
}
template commitment_computer(){
signal input note_nonce[256];
signal input nullifier_public_key[256];
signal input v[256];
signal output commitment[256];
component hash = Sha256(888);
//The b"coin-commitment" Tag in bits with big endian order
hash.in[0] <== 0;
hash.in[1] <== 1;
hash.in[2] <== 1;
hash.in[3] <== 0;
hash.in[4] <== 0;
hash.in[5] <== 0;
hash.in[6] <== 1;
hash.in[7] <== 1;
hash.in[8] <== 0;
hash.in[9] <== 1;
hash.in[10] <== 1;
hash.in[11] <== 0;
hash.in[12] <== 1;
hash.in[13] <== 1;
hash.in[14] <== 1;
hash.in[15] <== 1;
hash.in[16] <== 0;
hash.in[17] <== 1;
hash.in[18] <== 1;
hash.in[19] <== 0;
hash.in[20] <== 1;
hash.in[21] <== 0;
hash.in[22] <== 0;
hash.in[23] <== 1;
hash.in[24] <== 0;
hash.in[25] <== 1;
hash.in[26] <== 1;
hash.in[27] <== 0;
hash.in[28] <== 1;
hash.in[29] <== 1;
hash.in[30] <== 1;
hash.in[31] <== 0;
hash.in[32] <== 0;
hash.in[33] <== 0;
hash.in[34] <== 1;
hash.in[35] <== 0;
hash.in[36] <== 1;
hash.in[37] <== 1;
hash.in[38] <== 0;
hash.in[39] <== 1;
hash.in[40] <== 0;
hash.in[41] <== 1;
hash.in[42] <== 1;
hash.in[43] <== 0;
hash.in[44] <== 0;
hash.in[45] <== 0;
hash.in[46] <== 1;
hash.in[47] <== 1;
hash.in[48] <== 0;
hash.in[49] <== 1;
hash.in[50] <== 1;
hash.in[51] <== 0;
hash.in[52] <== 1;
hash.in[53] <== 1;
hash.in[54] <== 1;
hash.in[55] <== 1;
hash.in[56] <== 0;
hash.in[57] <== 1;
hash.in[58] <== 1;
hash.in[59] <== 0;
hash.in[60] <== 1;
hash.in[61] <== 1;
hash.in[62] <== 0;
hash.in[63] <== 1;
hash.in[64] <== 0;
hash.in[65] <== 1;
hash.in[66] <== 1;
hash.in[67] <== 0;
hash.in[68] <== 1;
hash.in[69] <== 1;
hash.in[70] <== 0;
hash.in[71] <== 1;
hash.in[72] <== 0;
hash.in[73] <== 1;
hash.in[74] <== 1;
hash.in[75] <== 0;
hash.in[76] <== 1;
hash.in[77] <== 0;
hash.in[78] <== 0;
hash.in[79] <== 1;
hash.in[80] <== 0;
hash.in[81] <== 1;
hash.in[82] <== 1;
hash.in[83] <== 1;
hash.in[84] <== 0;
hash.in[85] <== 1;
hash.in[86] <== 0;
hash.in[87] <== 0;
hash.in[88] <== 0;
hash.in[89] <== 1;
hash.in[90] <== 1;
hash.in[91] <== 0;
hash.in[92] <== 1;
hash.in[93] <== 1;
hash.in[94] <== 0;
hash.in[95] <== 1;
hash.in[96] <== 0;
hash.in[97] <== 1;
hash.in[98] <== 1;
hash.in[99] <== 0;
hash.in[100] <== 0;
hash.in[101] <== 1;
hash.in[102] <== 0;
hash.in[103] <== 1;
hash.in[104] <== 0;
hash.in[105] <== 1;
hash.in[106] <== 1;
hash.in[107] <== 0;
hash.in[108] <== 1;
hash.in[109] <== 1;
hash.in[110] <== 1;
hash.in[111] <== 0;
hash.in[112] <== 0;
hash.in[113] <== 1;
hash.in[114] <== 1;
hash.in[115] <== 1;
hash.in[116] <== 0;
hash.in[117] <== 1;
hash.in[118] <== 0;
hash.in[119] <== 0;
for(var i=0; i<256; i++){
hash.in[120+i] <== note_nonce[i];
hash.in[376+i] <== nullifier_public_key[i];
hash.in[632+i] <== v[i];
}
for(var i=0; i<256; i++){
commitment[i] <== hash.out[i];
}
}
template nonce_updater(){
signal input note_nonce[256];
signal input nullifier_secret_key[256];
signal output updated_nonce[256];
component hash = Sha256(600);
//The b"coin-evolve" Tag in bits with big endian order
hash.in[0] <== 0;
hash.in[1] <== 1;
hash.in[2] <== 1;
hash.in[3] <== 0;
hash.in[4] <== 0;
hash.in[5] <== 0;
hash.in[6] <== 1;
hash.in[7] <== 1;
hash.in[8] <== 0;
hash.in[9] <== 1;
hash.in[10] <== 1;
hash.in[11] <== 0;
hash.in[12] <== 1;
hash.in[13] <== 1;
hash.in[14] <== 1;
hash.in[15] <== 1;
hash.in[16] <== 0;
hash.in[17] <== 1;
hash.in[18] <== 1;
hash.in[19] <== 0;
hash.in[20] <== 1;
hash.in[21] <== 0;
hash.in[22] <== 0;
hash.in[23] <== 1;
hash.in[24] <== 0;
hash.in[25] <== 1;
hash.in[26] <== 1;
hash.in[27] <== 0;
hash.in[28] <== 1;
hash.in[29] <== 1;
hash.in[30] <== 1;
hash.in[31] <== 0;
hash.in[32] <== 0;
hash.in[33] <== 0;
hash.in[34] <== 1;
hash.in[35] <== 0;
hash.in[36] <== 1;
hash.in[37] <== 1;
hash.in[38] <== 0;
hash.in[39] <== 1;
hash.in[40] <== 0;
hash.in[41] <== 1;
hash.in[42] <== 1;
hash.in[43] <== 0;
hash.in[44] <== 0;
hash.in[45] <== 1;
hash.in[46] <== 0;
hash.in[47] <== 1;
hash.in[48] <== 0;
hash.in[49] <== 1;
hash.in[50] <== 1;
hash.in[51] <== 1;
hash.in[52] <== 0;
hash.in[53] <== 1;
hash.in[54] <== 1;
hash.in[55] <== 0;
hash.in[56] <== 0;
hash.in[57] <== 1;
hash.in[58] <== 1;
hash.in[59] <== 0;
hash.in[60] <== 1;
hash.in[61] <== 1;
hash.in[62] <== 1;
hash.in[63] <== 1;
hash.in[64] <== 0;
hash.in[65] <== 1;
hash.in[66] <== 1;
hash.in[67] <== 0;
hash.in[68] <== 1;
hash.in[69] <== 1;
hash.in[70] <== 0;
hash.in[71] <== 0;
hash.in[72] <== 0;
hash.in[73] <== 1;
hash.in[74] <== 1;
hash.in[75] <== 1;
hash.in[76] <== 0;
hash.in[77] <== 1;
hash.in[78] <== 1;
hash.in[79] <== 0;
hash.in[80] <== 0;
hash.in[81] <== 1;
hash.in[82] <== 1;
hash.in[83] <== 0;
hash.in[84] <== 0;
hash.in[85] <== 1;
hash.in[86] <== 0;
hash.in[87] <== 1;
for(var i=0; i<256; i++){
hash.in[88+i] <== note_nonce[i];
hash.in[344+i] <== nullifier_secret_key[i];
}
for(var i=0; i<256; i++){
updated_nonce[i] <== hash.out[i];
}
}
template sha_2_to_1(){
signal input a[256];
signal input b[256];
signal output hash_ab[256];
component hash = Sha256(512);
for(var i=0; i<256; i++){
hash.in[i] <== a[i];
hash.in[i+256] <== b[i];
}
for(var i=0;i<256;i++){
hash_ab[i] <== hash.out[i];
}
}
template membership_checker(){
signal input commitment[256]; //The note commitment
signal input commitments_root[256]; //The root of the Merkle Tree containing every commitments (of depth 32)
signal input index[32]; //Position of the note commitment in bits in big endian
signal input node[32][256]; //Complementary hashes
component hash[32];
for(var i=0; i<32; i++){
hash[i] = sha_2_to_1();
}
for(var i=0; i<256; i++){
hash[0].a[i] <== commitment[i] - index[31] * (commitment[i] - node[0][i]);
hash[0].b[i] <== node[0][i] - index[31] * (node[0][i] - commitment[i]);
}
for(var i=1; i<32; i++){
for(var j=0; j<256; j++){
hash[i].a[j] <== hash[i-1].hash_ab[j] - index[31] * (hash[i-1].hash_ab[j] - node[i][j]);
hash[i].b[j] <== node[i][j] - index[31] * (node[i][j] - hash[i-1].hash_ab[j]);
}
}
for(var i=0; i<256; i++){
//commitments_root[i] === hash[31].hash_ab[i];
}
}
template bits2num_253(){
signal input bits[253];
signal output value;
signal intermediate_value[252];
intermediate_value[0] <== bits[0] * 2;
for(var i=1; i<252; i++){
intermediate_value[i] <== intermediate_value[i-1] * 2 + bits[i];
}
value <== intermediate_value[251] * 2 + bits[252];
}
template check_bits(n){
signal input bits[n];
for(var i=0; i<n; i++){
bits[i] * (1-bits[i]) === 0;
}
}
template sha_proof_of_leadership(){
signal input epoch_nonce[256]; //256 bits
signal input slot_number[64]; //64 bits
signal input pre_computed_threshold; //253 bits
signal input commitments_root[256]; //The root of the Merkle Tree containing every commitments (of depth 32) 256 bits
signal input note_nonce[256];
signal input nullifier_secret_key[256];
signal input v[253]; //253 bits
signal input index[32]; //Position of the note commitment in bits in big endian
signal input node[32][256]; //Complementary hashes
signal output nullifier[256];
signal output updated_commiment[256];
// Check that private inputs are indeed bits
component bit_checker[36];
for(var i=0; i<34; i++){
bit_checker[i] = check_bits(256);
if(i<32){
for(var j=0; j<256; j++){
bit_checker[i].bits[j] <== node[i][j];
}
}
}
bit_checker[34] = check_bits(253);
bit_checker[35] = check_bits(32);
for(var i=0; i<256; i++){
bit_checker[32].bits[i] <== note_nonce[i];
bit_checker[33].bits[i] <== nullifier_secret_key[i];
if(i<253){
bit_checker[34].bits[i] <== v[i];
}
if(i<32){
bit_checker[35].bits[i] <== index[i];
}
}
// Compute the value of v
component bits2num = bits2num_253();
for(var i=0; i<253; i++){
bits2num.bits[i] <== v[i];
}
// Check that r < threshold
component lottery_checker = check_lottery();
lottery_checker.pre_computed_threshold <== pre_computed_threshold;
lottery_checker.v <== bits2num.value;
for(var i=0; i<256; i++){
lottery_checker.epoch_nonce[i] <== epoch_nonce[i];
if(i<64){
lottery_checker.slot_number[i] <== slot_number[i];
}
lottery_checker.nullifier_secret_key[i] <== nullifier_secret_key[i];
lottery_checker.note_nonce[i] <== note_nonce[i];
}
// Compute the note commitment
component note_committer = commitment_computer();
for(var i=0; i<256; i++){
note_committer.note_nonce[i] <== note_nonce[i];
note_committer.nullifier_public_key[i] <== nullifier_secret_key[i]; // TODO: reflect the nullifier public key computation later when defined
}
note_committer.v[0] <== 0;
note_committer.v[1] <== 0;
note_committer.v[2] <== 0;
for(var i=0; i<253; i++){
note_committer.v[i+3] <== v[i];
}
// Check the commitment membership
component membership_checker = membership_checker();
for(var i=0; i<256; i++){
membership_checker.commitment[i] <== note_committer.commitment[i];
membership_checker.commitments_root[i] <== commitments_root[i];
for(var j=0; j<32; j++){
if(i==0){
membership_checker.index[j] <== index[j];
}
membership_checker.node[j][i] <== node[j][i];
}
}
// Compute the note nullifier
component nullifier_computer = nullifier_computer();
for(var i=0; i<256; i++){
nullifier_computer.note_nonce[i] <== note_nonce[i];
nullifier_computer.nullifier_public_key[i] <== nullifier_secret_key[i]; // TODO: reflect the nullifier public key computation later when defined
}
nullifier_computer.v[0] <== 0;
nullifier_computer.v[1] <== 0;
nullifier_computer.v[2] <== 0;
for(var i=0; i<253; i++){
nullifier_computer.v[i+3] <== v[i];
}
for(var i=0; i<256; i++){
nullifier[i] <== nullifier_computer.nullifier[i];
}
// Compute the evolved nonce
component nonce_updater = nonce_updater();
for(var i=0; i<256; i++){
nonce_updater.note_nonce[i] <== note_nonce[i];
nonce_updater.nullifier_secret_key[i] <== nullifier_secret_key[i];
}
// Compute the new note commitment
component updated_note_committer = commitment_computer();
for(var i=0; i<256; i++){
updated_note_committer.note_nonce[i] <== nonce_updater.updated_nonce[i];
updated_note_committer.nullifier_public_key[i] <== nullifier_secret_key[i]; // TODO: reflect the nullifier public key computation later when defined
}
updated_note_committer.v[0] <== 0;
updated_note_committer.v[1] <== 0;
updated_note_committer.v[2] <== 0;
for(var i=0; i<253; i++){
updated_note_committer.v[i+3] <== v[i];
}
for(var i =0; i<256; i++){
updated_commiment[i] <== updated_note_committer.commitment[i];
}
}
component main {public [epoch_nonce, slot_number, pre_computed_threshold, commitments_root]} = sha_proof_of_leadership();

View File

@ -0,0 +1,488 @@
//test
pragma circom 2.1.9;
include "poseidon_Jubjub_16_to_1_constants.circom";
template external_linear_layer_16_to_1() {
signal input in[16];
signal output out[16];
// Matrix is [10 14 2 6 5 7 1 3 5 7 1 3 5 7 1 3]
// [ 8 12 2 2 4 6 1 1 4 6 1 1 4 6 1 1]
// [ 2 6 10 14 1 3 5 7 1 3 5 7 1 3 5 7]
// [ 2 2 8 12 1 1 4 6 1 1 4 6 1 1 4 6]
// [ 5 7 1 3 10 14 2 6 5 7 1 3 5 7 1 3]
// [ 4 6 1 1 8 12 2 2 4 6 1 1 4 6 1 1]
// [ 1 3 5 7 2 6 10 14 1 3 5 7 1 3 5 7]
// [ 1 1 4 6 2 2 8 12 1 1 4 6 1 1 4 6]
// [ 5 7 1 3 5 7 1 3 10 14 2 6 5 7 1 3]
// [ 4 6 1 1 4 6 1 1 8 12 2 2 4 6 1 1]
// [ 1 3 5 7 1 3 5 7 2 6 10 14 1 3 5 7]
// [ 1 1 4 6 1 1 4 6 2 2 8 12 1 1 4 6]
// [ 5 7 1 3 5 7 1 3 5 7 1 3 10 14 2 6]
// [ 4 6 1 1 4 6 1 1 4 6 1 1 8 12 2 2]
// [ 1 3 5 7 1 3 5 7 1 3 5 7 2 6 10 14]
// [ 1 1 4 6 1 1 4 6 1 1 4 6 2 2 8 12]
out[0] <== in[0] +in[0] +in[0] +in[0] +in[0] +in[0] +in[0] +in[0] +in[0] +in[0] +
in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +
in[2] +in[2] +
in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +
in[4] +in[4] +in[4] +in[4] +in[4] +
in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +
in[6] +
in[7] +in[7] +in[7] +
in[8] +in[8] +in[8] +in[8] +in[8] +
in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +
in[10] +
in[11] +in[11] +in[11] +
in[12] +in[12] +in[12] +in[12] +in[12] +
in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +
in[14] +
in[15] +in[15] +in[15];
out[1] <== in[0] +in[0] +in[0] +in[0] +in[0] +in[0] +in[0] +in[0] +
in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +
in[2] +in[2] +
in[3] +in[3] +
in[4] +in[4] +in[4] +in[4] +
in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +
in[6] +
in[7] +
in[8] +in[8] +in[8] +in[8] +
in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +
in[10] +
in[11] +
in[12] +in[12] +in[12] +in[12] +
in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +
in[14] +
in[15];
out[2] <== in[0] +in[0] +
in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +
in[2] +in[2] +in[2] +in[2] +in[2] +in[2] +in[2] +in[2] +in[2] +in[2] +
in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +
in[4] +
in[5] +in[5] +in[5] +
in[6] +in[6] +in[6] +in[6] +in[6] +
in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +
in[8] +
in[9] +in[9] +in[9] +
in[10] +in[10] +in[10] +in[10] +in[10] +
in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +
in[12] +
in[13] +in[13] +in[13] +
in[14] +in[14] +in[14] +in[14] +in[14] +
in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15];
out[3] <== in[0] +in[0] +
in[1] +in[1] +
in[2] +in[2] +in[2] +in[2] +in[2] +in[2] +in[2] +in[2] +
in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +
in[4] +
in[5] +
in[6] +in[6] +in[6] +in[6] +
in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +
in[8] +
in[9] +
in[10] +in[10] +in[10] +in[10] +
in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +
in[12] +
in[13] +
in[14] +in[14] +in[14] +in[14] +
in[15] +in[15] +in[15] +in[15] +in[15] +in[15];
out[4] <== in[0] +in[0] +in[0] +in[0] +in[0] +
in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +
in[2] +
in[3] +in[3] +in[3] +
in[4] +in[4] +in[4] +in[4] +in[4] +in[4] +in[4] +in[4] +in[4] +in[4] +
in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +
in[6] +in[6] +
in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +
in[8] +in[8] +in[8] +in[8] +in[8] +
in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +
in[10] +
in[11] +in[11] +in[11] +
in[12] +in[12] +in[12] +in[12] +in[12] +
in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +
in[14] +
in[15] +in[15] +in[15];
out[5] <== in[0] +in[0] +in[0] +in[0] +
in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +
in[2] +
in[3] +
in[4] +in[4] +in[4] +in[4] +in[4] +in[4] +in[4] +in[4] +
in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +
in[6] +in[6] +
in[7] +in[7] +
in[8] +in[8] +in[8] +in[8] +
in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +
in[10] +
in[11] +
in[12] +in[12] +in[12] +in[12] +
in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +
in[14] +
in[15];
out[6] <== in[0] +
in[1] +in[1] +in[1] +
in[2] +in[2] +in[2] +in[2] +in[2] +
in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +
in[4] +in[4] +
in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +
in[6] +in[6] +in[6] +in[6] +in[6] +in[6] +in[6] +in[6] +in[6] +in[6] +
in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +
in[8] +
in[9] +in[9] +in[9] +
in[10] +in[10] +in[10] +in[10] +in[10] +
in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +
in[12] +
in[13] +in[13] +in[13] +
in[14] +in[14] +in[14] +in[14] +in[14] +
in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15];
out[7] <== in[0] +
in[1] +
in[2] +in[2] +in[2] +in[2] +
in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +
in[4] +in[4] +
in[5] +in[5] +
in[6] +in[6] +in[6] +in[6] +in[6] +in[6] +in[6] +in[6] +
in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +
in[8] +
in[9] +
in[10] +in[10] +in[10] +in[10] +
in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +
in[12] +
in[13] +
in[14] +in[14] +in[14] +in[14] +
in[15] +in[15] +in[15] +in[15] +in[15] +in[15];
out[8] <== in[0] +in[0] +in[0] +in[0] +in[0] +
in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +
in[2] +
in[3] +in[3] +in[3] +
in[4] +in[4] +in[4] +in[4] +in[4] +
in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +
in[6] +
in[7] +in[7] +in[7] +
in[8] +in[8] +in[8] +in[8] +in[8] +in[8] +in[8] +in[8] +in[8] +in[8] +
in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +
in[10] +in[10] +
in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +
in[12] +in[12] +in[12] +in[12] +in[12] +
in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +
in[14] +
in[15] +in[15] +in[15];
out[9] <== in[0] +in[0] +in[0] +in[0] +
in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +
in[2] +
in[3] +
in[4] +in[4] +in[4] +in[4] +
in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +
in[6] +
in[7] +
in[8] +in[8] +in[8] +in[8] +in[8] +in[8] +in[8] +in[8] +
in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +
in[10] +in[10] +
in[11] +in[11] +
in[12] +in[12] +in[12] +in[12] +
in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +
in[14] +
in[15];
out[10] <== in[0] +
in[1] +in[1] +in[1] +
in[2] +in[2] +in[2] +in[2] +in[2] +
in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +
in[4] +
in[5] +in[5] +in[5] +
in[6] +in[6] +in[6] +in[6] +in[6] +
in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +
in[8] +in[8] +
in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +
in[10] +in[10] +in[10] +in[10] +in[10] +in[10] +in[10] +in[10] +in[10] +in[10] +
in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +
in[12] +
in[13] +in[13] +in[13] +
in[14] +in[14] +in[14] +in[14] +in[14] +
in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15];
out[11] <== in[0] +
in[1] +
in[2] +in[2] +in[2] +in[2] +
in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +
in[4] +
in[5] +
in[6] +in[6] +in[6] +in[6] +
in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +
in[8] +in[8] +
in[9] +in[9] +
in[10] +in[10] +in[10] +in[10] +in[10] +in[10] +in[10] +in[10] +
in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +
in[12] +
in[13] +
in[14] +in[14] +in[14] +in[14] +
in[15] +in[15] +in[15] +in[15] +in[15] +in[15];
out[12] <== in[0] +in[0] +in[0] +in[0] +in[0] +
in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +
in[2] +
in[3] +in[3] +in[3] +
in[4] +in[4] +in[4] +in[4] +in[4] +
in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +
in[6] +
in[7] +in[7] +in[7] +
in[8] +in[8] +in[8] +in[8] +in[8] +
in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +
in[10] +
in[11] +in[11] +in[11] +
in[12] +in[12] +in[12] +in[12] +in[12] +in[12] +in[12] +in[12] +in[12] +in[12] +
in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +
in[14] +in[14] +
in[15] +in[15] +in[15] +in[15] +in[15] +in[15];
out[13] <== in[0] +in[0] +in[0] +in[0] +
in[1] +in[1] +in[1] +in[1] +in[1] +in[1] +
in[2] +
in[3] +
in[4] +in[4] +in[4] +in[4] +
in[5] +in[5] +in[5] +in[5] +in[5] +in[5] +
in[6] +
in[7] +
in[8] +in[8] +in[8] +in[8] +
in[9] +in[9] +in[9] +in[9] +in[9] +in[9] +
in[10] +
in[11] +
in[12] +in[12] +in[12] +in[12] +in[12] +in[12] +in[12] +in[12] +
in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +
in[14] +in[14] +
in[15] +in[15];
out[14] <== in[0] +
in[1] +in[1] +in[1] +
in[2] +in[2] +in[2] +in[2] +in[2] +
in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +
in[4] +
in[5] +in[5] +in[5] +
in[6] +in[6] +in[6] +in[6] +in[6] +
in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +
in[8] +
in[9] +in[9] +in[9] +
in[10] +in[10] +in[10] +in[10] +in[10] +
in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +
in[12] +in[12] +
in[13] +in[13] +in[13] +in[13] +in[13] +in[13] +
in[14] +in[14] +in[14] +in[14] +in[14] +in[14] +in[14] +in[14] +in[14] +in[14] +
in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15];
out[15] <== in[0] +
in[1] +
in[2] +in[2] +in[2] +in[2] +
in[3] +in[3] +in[3] +in[3] +in[3] +in[3] +
in[4] +
in[5] +
in[6] +in[6] +in[6] +in[6] +
in[7] +in[7] +in[7] +in[7] +in[7] +in[7] +
in[8] +
in[9] +
in[10] +in[10] +in[10] +in[10] +
in[11] +in[11] +in[11] +in[11] +in[11] +in[11] +
in[12] +in[12] +
in[13] +in[13] +
in[14] +in[14] +in[14] +in[14] +in[14] +in[14] +in[14] +in[14] +
in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15] +in[15];
}
template internal_linear_layer_16_to_1() {
signal input in[16];
signal output out[16];
signal sum <== in[0] + in[1] + in[2] + in[3] + in[4] + in[5] + in[6] + in[7] + in[8] + in[9] + in[10] + in[11] + in[12] + in[13] + in[14] + in[15];
out[0] <== in[0] * 67 + sum;
out[1] <== in[1] * 84 + sum;
out[2] <== in[2] * 80 + sum;
out[3] <== in[3] * 94 + sum;
out[4] <== in[4] * 57 + sum;
out[5] <== in[5] * 89 + sum;
out[6] <== in[6] * 92 + sum;
out[7] <== in[7] * 39 + sum;
out[8] <== in[8] * 34 + sum;
out[9] <== in[9] * 24 + sum;
out[10] <== in[10] + sum;
out[11] <== in[11] * 95 + sum;
out[12] <== in[12] * 21 + sum;
out[13] <== in[13] * 73 + sum;
out[14] <== in[14] * 68 + sum;
out[15] <== in[15] * 52 + sum;
}
template sbox_16_to_1() { // ALPHA = 5
signal input in;
signal output out;
signal in2;
signal in4;
in2 <== in*in;
in4 <== in2 * in2;
out <== in4 * in;
}
template ARC_16_to_1(index){
signal input in;
signal output out;
var constants[185] = round_constant_16_to_1();
out <== in + constants[index];
}
template partial_round_16_to_1(round_number) {
signal input in[16];
signal output out[16];
component add_constant = ARC_16_to_1(round_number + 60);
add_constant.in <== in[0];
component exp = sbox_16_to_1();
exp.in <== add_constant.out;
component matrix = internal_linear_layer_16_to_1();
matrix.in[0] <== exp.out;
for(var i=1; i<16; i++){
matrix.in[i] <== in[i];
}
for(var i=0; i<16; i++){
out[i] <== matrix.out[i];
}
}
template full_rounds_16_to_1(round_number){
signal input in[16];
signal output out[16];
component add_constant[16];
if(round_number < 4) {
for(var i=0; i<16; i++){
add_constant[i] = ARC_16_to_1(round_number*16+i);
}
} else {
for(var i=0; i<16; i++){
add_constant[i] = ARC_16_to_1((round_number - 61) * 16 + i + 121);
}
}
for(var i=0; i<16; i++){
add_constant[i].in <== in[i];
}
component exp[16];
for(var i=0; i<16; i++){
exp[i] = sbox_16_to_1();
exp[i].in <== add_constant[i].out;
}
component matrix = external_linear_layer_16_to_1();
for(var i=0; i<16; i++){
matrix.in[i] <== exp[i].out;
}
for(var i=0; i<16; i++){
out[i] <== matrix.out[i];
}
}
template permutation_16_to_1(){
signal input in[16];
signal output out[16];
component full_rounds_16_to_1[8];
component partial_round_16_to_1s[57];
component matrix = external_linear_layer_16_to_1();
for(var i=0; i<16; i++){
matrix.in[i] <== in[i];
}
for(var i=0; i<65; i++){
if(i < 4) {
full_rounds_16_to_1[i] = full_rounds_16_to_1(i);
} else {
if(i<61) {
partial_round_16_to_1s[i-4] = partial_round_16_to_1(i);
} else {
full_rounds_16_to_1[i-57] = full_rounds_16_to_1(i);
}
}
}
for(var i=0; i<16; i++){
full_rounds_16_to_1[0].in[i] <== matrix.out[i];
}
for(var i=1; i<4; i++){
for(var j=0; j<16; j++){
full_rounds_16_to_1[i].in[j] <== full_rounds_16_to_1[i-1].out[j];
}
}
for(var i=0; i<16; i++){
partial_round_16_to_1s[0].in[i] <== full_rounds_16_to_1[3].out[i];
}
for(var i=1; i<57; i++){
for(var j=0; j<16; j++){
partial_round_16_to_1s[i].in[j] <== partial_round_16_to_1s[i-1].out[j];
}
}
for(var i=0; i<16; i++){
full_rounds_16_to_1[4].in[i] <== partial_round_16_to_1s[56].out[i];
}
for(var i=5; i<8; i++){
for(var j=0; j<16; j++){
full_rounds_16_to_1[i].in[j] <== full_rounds_16_to_1[i-1].out[j];
}
}
for(var i=0; i<16; i++){
out[i] <== full_rounds_16_to_1[7].out[i];
}
}
template hash_16_to_1(){
signal input in[16];
signal output out;
component perm = permutation_16_to_1();
for(var i=0; i<16; i++){
perm.in[i] <== in[i];
}
out <== in[0] + perm.out[0] +
in[1] + perm.out[1] +
in[2] + perm.out[2] +
in[3] + perm.out[3] +
in[4] + perm.out[4] +
in[5] + perm.out[5] +
in[6] + perm.out[6] +
in[7] + perm.out[7] +
in[8] + perm.out[8] +
in[9] + perm.out[9] +
in[10] + perm.out[10] +
in[11] + perm.out[11] +
in[12] + perm.out[12] +
in[13] + perm.out[13] +
in[14] + perm.out[14] +
in[15] + perm.out[15];
}
//component main = hash_16_to_1();

View File

@ -0,0 +1,147 @@
//test
pragma circom 2.1.9;
include "poseidon_Jubjub_2_to_1_constants.circom";
template linear_layer_2_to_1() {
signal input in[2];
signal output out[2];
out[0] <== in[0] + in[0] + in[1];
out[1] <== in[0] + in[1] + in[1];
}
template sbox_2_to_1() { // ALPHA = 5
signal input in;
signal output out;
signal in2;
signal in4;
in2 <== in*in;
in4 <== in2 * in2;
out <== in4 * in;
}
template ARC_2_to_1(index){
signal input in;
signal output out;
var constants[72] = round_constant_2_to_1();
out <== in + constants[index];
}
template partial_round_2_to_1(round_number) {
signal input in[2];
signal output out[2];
component add_constant = ARC_2_to_1(round_number + 4);
add_constant.in <== in[0];
component exp = sbox_2_to_1();
exp.in <== add_constant.out;
component matrix = linear_layer_2_to_1();
matrix.in[0] <== exp.out;
matrix.in[1] <== in[1];
out[0] <== matrix.out[0];
out[1] <== matrix.out[1];
}
template full_rounds_2_to_1(round_number){
signal input in[2];
signal output out[2];
component add_constant[2];
if(round_number < 4) {
add_constant[0] = ARC_2_to_1(round_number*2);
add_constant[1] = ARC_2_to_1(round_number*2 +1);
} else {
add_constant[0] = ARC_2_to_1((round_number - 60) * 2 + 64);
add_constant[1] = ARC_2_to_1((round_number - 60) * 2 + 65);
}
add_constant[0].in <== in[0];
add_constant[1].in <== in[1];
component exp[2];
exp[0] = sbox_2_to_1();
exp[1] = sbox_2_to_1();
exp[0].in <== add_constant[0].out;
exp[1].in <== add_constant[1].out;
component matrix = linear_layer_2_to_1();
matrix.in[0] <== exp[0].out;
matrix.in[1] <== exp[1].out;
out[0] <== matrix.out[0];
out[1] <== matrix.out[1];
}
template permutation_2_to_1(){
signal input in[2];
signal output out[2];
component full_rounds_2_to_1[8];
component partial_round_2_to_1s[56];
component matrix = linear_layer_2_to_1();
matrix.in[0] <== in[0];
matrix.in[1] <== in[1];
for(var i=0; i<64; i++){
if(i < 4) {
full_rounds_2_to_1[i] = full_rounds_2_to_1(i);
} else {
if(i<60) {
partial_round_2_to_1s[i-4] = partial_round_2_to_1(i);
} else {
full_rounds_2_to_1[i-56] = full_rounds_2_to_1(i);
}
}
}
full_rounds_2_to_1[0].in[0] <== matrix.out[0];
full_rounds_2_to_1[0].in[1] <== matrix.out[1];
for(var i=1; i<4; i++){
full_rounds_2_to_1[i].in[0] <== full_rounds_2_to_1[i-1].out[0];
full_rounds_2_to_1[i].in[1] <== full_rounds_2_to_1[i-1].out[1];
}
partial_round_2_to_1s[0].in[0] <== full_rounds_2_to_1[3].out[0];
partial_round_2_to_1s[0].in[1] <== full_rounds_2_to_1[3].out[1];
for(var i=1; i<56; i++){
partial_round_2_to_1s[i].in[0] <== partial_round_2_to_1s[i-1].out[0];
partial_round_2_to_1s[i].in[1] <== partial_round_2_to_1s[i-1].out[1];
}
full_rounds_2_to_1[4].in[0] <== partial_round_2_to_1s[55].out[0];
full_rounds_2_to_1[4].in[1] <== partial_round_2_to_1s[55].out[1];
for(var i=5; i<8; i++){
full_rounds_2_to_1[i].in[0] <== full_rounds_2_to_1[i-1].out[0];
full_rounds_2_to_1[i].in[1] <== full_rounds_2_to_1[i-1].out[1];
}
out[0] <== full_rounds_2_to_1[7].out[0];
out[1] <== full_rounds_2_to_1[7].out[1];
}
template hash_2_to_1(){
signal input in[2];
signal output out;
component perm = permutation_2_to_1();
perm.in[0] <== in[0];
perm.in[1] <== in[1];
out <== in[0] + perm.out[0] + in[1] + perm.out[1];
}
//component main = hash_2_to_1();

View File

@ -0,0 +1,188 @@
//test
pragma circom 2.1.9;
include "poseidon_Jubjub_4_to_1_constants.circom";
template external_linear_layer_4_to_1() {
signal input in[4];
signal output out[4];
out[3] <== in[0] + in[0] + in[0] + in[0] + in[0] + in[1] + in[1] + in[1] + in[1] + in[1] + in[1] + in[1] + in[2] + in[3] + in[3] + in[3];
out[1] <== in[0] + in[0] + in[0] + in[0] + in[1] + in[1] + in[1] + in[1] + in[1] + in[1] + in[2] + in[3];
out[0] <== in[0] + in[1] + in[1] + in[1] + in[2] + in[2] + in[2] + in[2] + in[2] + in[3] + in[3] + in[3] + in[3] + in[3] + in[3] + in[3];
out[2] <== in[0] + in[1] + in[2] + in[2] + in[2] + in[2] + in[3] + in[3] + in[3] + in[3] + in[3] + in[3];
}
template internal_linear_layer_4_to_1() {
signal input in[4];
signal output out[4];
out[0] <== in[0] + in[0] + in[1] + in[2] + in[3];
out[1] <== in[1] + in[0] + in[1] + in[2] + in[3];
out[2] <== in[2] + in[2] + in[2] + in[0] + in[1] + in[2] + in[3];
out[3] <== in[3] + in[3] + in[3] + in[3] + in[3] + in[3] + in[3] + in[0] + in[1] + in[2] + in[3];
}
template sbox_4_to_1() { // ALPHA = 5
signal input in;
signal output out;
signal in2;
signal in4;
in2 <== in*in;
in4 <== in2 * in2;
out <== in4 * in;
}
template ARC_4_to_1(index){
signal input in;
signal output out;
var constants[88] = round_constant_4_to_1();
out <== in + constants[index];
}
template partial_round_4_to_1(round_number) {
signal input in[4];
signal output out[4];
component add_constant = ARC_4_to_1(round_number + 12);
add_constant.in <== in[0];
component exp = sbox_4_to_1();
exp.in <== add_constant.out;
component matrix = internal_linear_layer_4_to_1();
matrix.in[0] <== exp.out;
matrix.in[1] <== in[1];
matrix.in[2] <== in[2];
matrix.in[3] <== in[3];
out[0] <== matrix.out[0];
out[1] <== matrix.out[1];
out[2] <== matrix.out[2];
out[3] <== matrix.out[3];
}
template full_rounds_4_to_1(round_number){
signal input in[4];
signal output out[4];
component add_constant[4];
if(round_number < 4) {
add_constant[0] = ARC_4_to_1(round_number*4);
add_constant[1] = ARC_4_to_1(round_number*4 +1);
add_constant[2] = ARC_4_to_1(round_number*4 +2);
add_constant[3] = ARC_4_to_1(round_number*4 +3);
} else {
add_constant[0] = ARC_4_to_1((round_number - 60) * 4 + 72);
add_constant[1] = ARC_4_to_1((round_number - 60) * 4 + 73);
add_constant[2] = ARC_4_to_1((round_number - 60) * 4 + 74);
add_constant[3] = ARC_4_to_1((round_number - 60) * 4 + 75);
}
add_constant[0].in <== in[0];
add_constant[1].in <== in[1];
add_constant[2].in <== in[2];
add_constant[3].in <== in[3];
component exp[4];
exp[0] = sbox_4_to_1();
exp[1] = sbox_4_to_1();
exp[2] = sbox_4_to_1();
exp[3] = sbox_4_to_1();
exp[0].in <== add_constant[0].out;
exp[1].in <== add_constant[1].out;
exp[2].in <== add_constant[2].out;
exp[3].in <== add_constant[3].out;
component matrix = external_linear_layer_4_to_1();
matrix.in[0] <== exp[0].out;
matrix.in[1] <== exp[1].out;
matrix.in[2] <== exp[2].out;
matrix.in[3] <== exp[3].out;
out[0] <== matrix.out[0];
out[1] <== matrix.out[1];
out[2] <== matrix.out[2];
out[3] <== matrix.out[3];
}
template permutation_4_to_1(){
signal input in[4];
signal output out[4];
component full_rounds_4_to_1[8];
component partial_round_4_to_1s[56];
component matrix = external_linear_layer_4_to_1();
matrix.in[0] <== in[0];
matrix.in[1] <== in[1];
matrix.in[2] <== in[2];
matrix.in[3] <== in[3];
for(var i=0; i<64; i++){
if(i < 4) {
full_rounds_4_to_1[i] = full_rounds_4_to_1(i);
} else {
if(i<60) {
partial_round_4_to_1s[i-4] = partial_round_4_to_1(i);
} else {
full_rounds_4_to_1[i-56] = full_rounds_4_to_1(i);
}
}
}
for(var i=0; i<4; i++){
full_rounds_4_to_1[0].in[i] <== matrix.out[i];
}
for(var i=1; i<4; i++){
for(var j=0; j<4; j++){
full_rounds_4_to_1[i].in[j] <== full_rounds_4_to_1[i-1].out[j];
}
}
for(var i=0; i<4; i++){
partial_round_4_to_1s[0].in[i] <== full_rounds_4_to_1[3].out[i];
}
for(var i=1; i<56; i++){
for(var j=0; j<4; j++){
partial_round_4_to_1s[i].in[j] <== partial_round_4_to_1s[i-1].out[j];
}
}
for(var i=0; i<4; i++){
full_rounds_4_to_1[4].in[i] <== partial_round_4_to_1s[55].out[i];
}
for(var i=5; i<8; i++){
for(var j=0; j<4; j++){
full_rounds_4_to_1[i].in[j] <== full_rounds_4_to_1[i-1].out[j];
}
}
for(var i=0; i<4; i++){
out[i] <== full_rounds_4_to_1[7].out[i];
}
}
template hash_4_to_1(){
signal input in[4];
signal output out;
component perm = permutation_4_to_1();
perm.in[0] <== in[0];
perm.in[1] <== in[1];
perm.in[2] <== in[2];
perm.in[3] <== in[3];
out <== in[0] + perm.out[0] + in[1] + perm.out[1] + in[2] + perm.out[2] + in[3] + perm.out[3];
}
//component main = hash_4_to_1();

View File

@ -0,0 +1,193 @@
//test
pragma circom 2.1.9;
function round_constant_16_to_1() {
return
[
39725799400017827115953999199803965513668921247606107843235739645000498452181,
42966428960558994593504354654034020585855169251008976179361555763424614464338,
1902577049757491257818576950592390026062184527103985176709404045325719879153,
44431672934524375006946320990995907220611992982569305140824479722873832750184,
39726183949244760384768131039650643342100328144953562677717530936076214603575,
47922249389084318636163655667342945193486098112364797914711366318805271081986,
1862870272947949400931550187895813583996084263112126758587127421895920740217,
4609552006052426829558648842629624826577232105300129098751251434249497379415,
35588143488957689566276930373759329909335354222484070944945535758095890233602,
31992851211763793548423275170246297274462525072830105768609534303798701174374,
10431109178659867018016774068824625279897747730577584847579124215705854088752,
1949666570245048798153069638552026706752846020986409274673577266743024227986,
26013146320492118585809324011747055383255013664810283913111923543378165512435,
24326326384498087823059984407171843358848416830861907662385192677188116053544,
22319685994625011021753350147173406654223939569203496437101532456482753075879,
50557239558368781744228704045005139069258908206255515650400270553037541504198,
8150349453804124148576142676639616213878444242674057629308915686941165448719,
48208850819924081505370182430049176104131115325038330030896851480045955495846,
23292055228237110741391983617517431423114804124284097964494568447865687504083,
41624195613852190072343927309438239744583865875755371975404916906916622520312,
35035764767249963834124347515646744980548162618519514861977709647292192162935,
4779348796643887084014079273412324900195658451616750603184150546614709227590,
33367047533960399900339953965992791362189146117008495287189183308885826514987,
47818152023063189199872106125697047204743569529570459808477570336306405682618,
42796246674763432543587686312218067656639355734975037053737259369488219415432,
10957190869792979750714342710039883244593973691851341486138757518667861871308,
2841790402482039728028394542789470351099439451234544313142331893197703007354,
16616683520944631525798957628064854348665295295102366742591213566889088018633,
33567370488316680379461825404457605756079279555675131093451020281219258632141,
20149108407482774388930550024591991805677394222603241325670591147763821350175,
26521955033333972827600806868235450804729772994352860271090218480508888628468,
30420917495722730561485028971813175058988495495112448737909833585405582002453,
28826298253194385387635350229770135429043506867664273190337060583321839575111,
17917025733340975563320009027981039582040740238333569779892727038742964339095,
7141322642265363206186621258281581108534976046127258038741170240455221165198,
19418423356096329136327193014171723261000987171654451855537930843119849003480,
4435246673426368856651403911455319600556213204117162371080963632405613232527,
19632896986964074847700416879011202636067522051661757108806676985789880273707,
27046963462399353439595827223611516072637119359583733706532920096544318625175,
46022420944605380770914903892871308087212302911540340258773948901501361016991,
47210247379686065208769144617004411377616699091411215517824991959313614962397,
10113618698993232512425817656261980665816667005776383524586380129027083138291,
35517438329843448024913764440686318451400431892618552836051616554728503908001,
15621081553202567263286903894992975334527971102321162065809849644051230558156,
29674547690110160534416981628193785576251233526911087635787729103482288097393,
48072441526206759351688872909792052037070864282054279767041551741286737196367,
41744043803776630924388673324290707208134439478043126394378048339212169592401,
9628276074092566929694879552911540910341944885042275367756464425374067624509,
20632626646113120307999197184021140185329277351497138331616553936227435116058,
20792210528194122935550939155383235642592438080224243249333876170013316543401,
40415491313636855559381927040556471386850767350804210034574345185034062472388,
42065986796325477298062230949689861704213331366919061593388137948694441619250,
40821207536769008545206744063766400532504619210533302382117795523897539697933,
25553665219208663753910822024028906032034541099513008737546655361577447316484,
19736663029664934322245808384029169299382853413147390505477065761633976373362,
41037270906646381161943193245472673282253590700725246354740042685574618941505,
26465673628980636091049213717769341512445753008415873261263203826832299352951,
37036784788783168689308644616358821855616430701564621669397983274253847911044,
16882309834972349171728263406452316383132803207143172570189837375172214690963,
49236009794362178305819055463654400779656334164463557593816047235183326696206,
39126492963181209630544294313956192397928968809823631059639413986679789778216,
43658389378690206885714590070566109002458688834417247158444257250935092974665,
16333104498316984295745962415236263230477082737132070203651697035209925593266,
2343404888674146320460570191540978518333195833255755810571688909855019156349,
24634045350057319695041104791403403368011675948761890270733136933077818947573,
24387229815091645818728740871562656675244609698356948940855886553509325623218,
34856435078036813743723173976791961760363416490222768467602434757897150562809,
22463928646505673196264844647723745514489344400622648158270067812328221291172,
38337547475660790190067897986042722249254601625800102257245591381379028610987,
30884758170575514019575313258747378429451169785327990741538528539964746232511,
407062347257081198418184706020217550797090175697390265997395699504028840069,
46072527669630030314941843287930470349120547732416735746099013950369555752487,
26598420173680844002096268043589508593110520210883302319058895397482348813138,
5468186730708689095665003796421147031372937271113374556364693295567666309881,
20408443200377694476685908188621206365577738334727573068844969120059071063384,
46981234183655934922934842049383026387012791700440415493493702691352740266098,
33551792494519814298680232023513160371021410923276291252829879529580574549607,
44191750214736553132933384320160073484141698637542792822319467448466449199959,
52082663085085422534369913780529050462333401292522763448650886744352341477846,
43609725693554764598774802211508572436819354508573541391712385270827954088014,
5509314597941212988576665300843166762362117860942586466472903661374654433047,
5559029914528165704027960512924831270184459421996344081783499760333465840454,
33524678638941473952008777383950476291303669122863259465508971654565607710124,
45645434759869537782219495003520693614316744086502894675070357053578529462611,
21634412361943063812483816878212759698145592627132630568177240468236243443997,
17296076019245918134776233380747899670718046224411673517180705100767962406954,
51440070128252977573576752509509289893411386048688470945863901737258119109741,
3594222373894239759942466635754825806993182513993455014470212549644348436736,
47959769456918498933526528689384868494120276948030111429507861237362437496210,
33000764793048989170342190628396476268404452069453776919602031823454420654656,
42826490422129152698636386897788577399393533635964594559886553174637239521118,
52295329105725197789753101315429895369766102629019133090017712989241053783558,
47880622238513674104247747676583724803255466382975859845069693487703628947714,
43936946713208191402441184330937985658846334880823513129204372649490118165491,
40251165390594695927371248080107666232732935108005358445481599233717782638896,
4374561185857417857316731922491353498974134405011029557830297994813315862559,
36035028519117241692429568027060454516008330481155302030640451954673337039870,
17169679336575379664065214518686885005225695064353947035596355048982268831028,
15880917696586343406953592641564615996605082216639892270189959812763710888748,
44053791831887360310582759225296188780718960772971991969178524168816504578804,
17891697801976794338721931255832783817787274947410906666444514892619618334272,
41860684084301922118560078323296728501588433716011882280914057750677004252514,
39634237355488544158215275263851269921534055658196710011242793797355974120931,
17147446725471655980188874591608844349450837795690392086436662207272648235970,
19402693173125609969856950331264436884921152880190529800026177590116055294038,
10691603198079109355998270513275267963583839999640707229593969158192066085397,
47540627356602773888603132684733863602762111482745208345804634126586257262607,
5915674545476155673196233396217928914866410645604699985302660208523245942237,
111251938011213760763774859243277527837142141250061606873636423012197111197,
35063286980316874255015992522343006303508619821794962259547057506813060931773,
4955838234826402705564139094252802999139115369004968713576517960060305039082,
13792409982596927634720969816052864004355280343403291329940320489270508883803,
35825741100880023876488868468112742657673252321462610504266451341355067205610,
28460915945533593428542040906830378549800618474095963851867763677018897302929,
9713844506249087416664024364428812240068094374028199286225738527757038112467,
40679805732400884118723774115665481614915421978306297159251228478606230752474,
29757946798627258745416990533455815630324656030573466209153051560180917776353,
48357362019104750186375328819952102172608585465016965207540831676602884269263,
32940491071431805169868501574465967021193902185553749640148719707932598780469,
7473125368630470049034003737446766486818477818719886735195316440180323968735,
49797314418731632305394406125363649977467316746705136554158771555038756351980,
29423812245635343436136357631167744312439395772431168176499761020256672974116,
17752952597488467689955328967514036081230334268062286286791238444994797946364,
11187314008830530006226896925828877981837282277801039676209354309840830166312,
1460570367181490316969148060693926446394822620570366788008558284806968117734,
2845512215983531260468619146202988365036283019984734085030635808663534080897,
13678775934492824068869109923010846046122089274150470818447401546000515089448,
41560010339997824874371372926655493150700423413706122338193288307311885566768,
44104701369840880307377204949341973251175518351389507661546336745348450403920,
16099171949124285044549692766555664705752094379574657435086067387762269145164,
10885502210016683506969436609216522437947532105991633231562168011909638111557,
52156298020032266431787014754649280499452461532044760665828040879517728539708,
33945410025064742625417443716276958550285900443924582459678703741650438534809,
42330185455056468790993939554345514151954186453281863597765777627606599578516,
4657049000824091386723963460476049183867985168345526464398818750489141737163,
21923801997589000370088914236235074435502416056621470668050389849529574106202,
15805689248891728058742321832039785423037087284565290950005114696831443231147,
45984185687363711365029866793756997560497628108006072393015670720821342880668,
39156427118840011190894400331617643276463742427839568112463350872444907680494,
17893081445111736451083202165540649827781358816986209263756161212394728333001,
36437118588111746025389127729913810175419804691977510411734238734357426423809,
48260118028483684631326190969379716083209813670977725322552249653459435387882,
40486986020827308332276345571616851806907994309632663940769016980912192516960,
35099819227656121544999230187647432362290129526704475429625894785506342902690,
27580239951806652383156459031577005530932247841092109348006802746879132126644,
23271341957819036356728305748625419304831156372249949335195015298360923297133,
42515055996716749819345238125802133364043851479046925751568447538867534641232,
28714009840464082058245378340345146078016662568993921795177048501158035190256,
1111216851713657365641977385220157904693120725668727899264987734176843126786,
34412967565386968523345579224490035779382635330951678114018655424976710134202,
42139998487524182591996890653589805817774015986629937281031206233447268328582,
21691713516840627241183176855164665841929652491546118303064101066110796188953,
27652419528236676047196125264032473043981854331278230828308077279941937298620,
31211569185747715573358506785717075277547885839683427922002064474550453938720,
12885686250323264975654813526936397901419023857524625007681452625820802164214,
38368208456555528544874775339563689416708041768804542366734634684956870468665,
17014127458377497594462762243899040828274799467801458439796258262209705848999,
18339473410858561688021816579378042667435599228737095147372090986285098295729,
30243070523454822835312974811746059176298060623371243491658504828859436915867,
6856623016702194887799030091421067262770379379384975426793372305588238369793,
14584928177339868798941696431226120632338622678933396299538143948251685736857,
28963568590115676917816187714525023427152141272289632646661816895205441501344,
15821449895801494782675541871540375313851597664972871699624592153555269853492,
26870110211337166665285488169972107901304782738602697811217352528389112713316,
29654640625766553122308126800147704038633411112031981115431401674463728957870,
45387771697529877530693987615375947783672003547457057946997587632853767376485,
51530073844213986083224257489799416809305283668200085363164553259742628578601,
39500637489121678568797859105259741238785871932514496730971686474963916800838,
34638632655721665381292046101540251812987268394182233780890406749905123665498,
47558773840542513144047273382754220597014222776549583477762891202886304283558,
34464683426026223214818536296789584915103714217643035512538086729011924346398,
50661423324933414471281644339552326226886136985713868196538700335246118227921,
16026951337367383175610820246210183497734025720194433489132017234538604936414,
33572475268799564642745000649407837861228346301126684294541252715366099579094,
26220434981437976873498592303656146371158505657662010285451539733034399969825,
31040488125858696173362986090795905945928951823554908571888900564555975057860,
47286385036886749775224009536390346046643937618292722852399698152345906543537,
20950917282535983122464307959293663918938997314569186126689031705635737272062,
16685712499755301665281386819771726363157372904949135525550583883571962834528,
18683291445525541017294795892345078328382688847480507122165708511223740177458,
2608268839331669212463985078421319322001352992807108968314090990777368891770,
40037105172855926626375817902131326490267684706159606232991633054381953553026,
21626330967116418140505001603028197974177240574915763170077069271066169546158,
35330469786033362269122965704661462637931218147681429112041541870602933338162,
7959740499179483922969783988740981409045430979967212583073048384801003055527
];
}

View File

@ -0,0 +1,80 @@
//test
pragma circom 2.1.9;
function round_constant_2_to_1() {
return
[
44510337639712444877093863969199054965277800588455612249278638908194748645831,
21803715039317278198490310228838761820084178670568647145430631061363562182159,
7624865858307587153533893753671854337113466346291121078558552645350285711947,
40816250157678830542785454550323790288400761867270997552332922267166370848099,
26700489303136047462599262740180012654857443933973506452655094204874268181798,
29300041198680547975810813644545348954050411371551740473502764872245855641482,
26494260871076350781917504826961109818301921647993891506179327799406892257760,
51471943067203395853539598076816386277188697473371359746626216561944728278869,
48874150250826827063647140518997592549563417409147246235831213929889330889464,
4957296567799842922524759318027693610815701909959689401077625970883603151110,
49787130886622940646628207982474849305464467960406760686521606845929813913147,
38626507234346048667761615866199783635070759234617387640403950557591257611930,
43672937506493322470130890010227422460105683953151094688032165492686807529714,
10282858088808039236495153687326481750629167926398528104702176163827531439774,
5929373583590601619353793840106929273025491048347772550388315300478156302480,
40523767159781096993564794726793344971416282562716017669035314514589021856544,
35087653160263082011551011896785452178273871331090954735353760094574180797326,
44066134544197993553720315073514236799698542066082224906667320314729128689851,
46811190561503483095087189032015959148465356044838419985597715002375968521789,
35502138198479058392251639631217384470706251578088034693745546686222031522574,
3011951966042824356793101436014075881633742606023423824609791334873649401619,
36441783079799715976603149530703751751672873737838939240893549516900746063885,
5949000965032854376013985161729805610095473216976505768565157587449663833146,
39334547265154726054631299624100840161191136653442409769156478840344483284117,
44407194440944549422962884120864337491414458688079798116475114348830479824132,
17726376508115223453307205134714318843193912409715438117420622264717671262663,
756868613004458973360577644537468651009832005811964377612175868388980341238,
3421893741771938128946389260799798658478598753415463644298734220953059738355,
13293243933107737951928282334791569607692876620282367672054893180625816893632,
11906453198605884256628058547608350794281153234160543833653104246224561572116,
41007993900563419378450318427807675773574107233531791780559911428122060668864,
48053112103639043655338341411293547635466618118313162578053483741000954697443,
32234194819559922425974652761643838211443296225838831687358769666643041225472,
48939529425812404248175324082406620877605698116805848434311747711965735603142,
23172302197508009638107441698229967178757578829167657081073715837516157038684,
26828245904250884987904133111377098838723772557669646848196202419087853870872,
36025164071480125389137319620343252251920437049927443652919962965645042660420,
42147865145919705097445974287709456827305052297675196211654971979806749888911,
20585606416170880487041307637777839232517038894653375498347934603702403525799,
1047663270527934381838445994762652910090839507177449076034186708210288801902,
49864990265274912108645272682223261996354786042911445790248422528668444967688,
20274910123179255493744356413243132767746258718293295072669857132542604950741,
39934722872842035804029775488645871956511886709858512717725127998627130523912,
33295937568441654166303959882114891655347924209941192993151592385097862772126,
39198754144978337534654702520273605486297255614756323128663775493042981926264,
48114214484211668830722398263059235215883885642960292320018016482221617479308,
20857205525756474383857323509517945359548153106777905032259140536596758842151,
20481512031474492331394869498229505122694442073123511672315331466779200648987,
5512348932066875222255592673449822544023582557729178288775446420395599163714,
14748707870289380337081091822758247948394420380976550635416667891847265434773,
20722592968207591585193709289557966995643707360519106502308701025990663556112,
30345071158541998337681526950804671230825251993252779307899796752848528236301,
37998633152333475045376762610205951441947316428701472139959038991258723083573,
25187075483245106412039082847435291293567789993240499080077480139071082713811,
19421269742609173994970218921590288196829015512476170234735579602917648585528,
44645626649350902490681022627010246390651823839290377812847048196342039743308,
38015410591674700109176981164929629504879929166582206795827935147005325179107,
15907673084411204300870039215095416489657280867726923876605554605918361454411,
4839910768263945909615643698821897421248623201436406727882801614226282796736,
11993166323725114372511567048380837525145267539902083755578961856890086640616,
13920948384274828210917386586592591296235909076917892178237942711445546791673,
890670937435713979056767019654860866935017937714294844928044822115961948695,
17228860181078068965008756660486864527552317469394243328944319614877053158985,
10077644153064320976006893555780056518106113458749153233744229760482343163199,
49940012233787551970719440300197866554675665187348390484098206972627022147562,
46156268877611784805956766593634373731938578230585206172333523828368963221701,
22953533088186447995354081903847946065608888217162100116127853233026059928601,
52274456635025394989373456728632213614198023598074828050923870917877714774032,
10763107301772445560209819564880953581415947909035345171575074311681161298071,
18925434003927090811791086956853651992753402455627802833236246367412669605539,
44640541969065703218376218137336488126193962189090743983027473909004591005110,
6325804276918590364991192431609508508777152352802958405080031341778877821773
];
}

View File

@ -0,0 +1,96 @@
//test
pragma circom 2.1.9;
function round_constant_4_to_1() {
return
[
11865901593870436687704696210307853465124332568266803587887584059192277437537,
37413344849675497106163505103761203874617077416461933389729149896951619083615,
32493856687297537788073517556470839888070933486712636845483468275561142904504,
8106572321306448561272383558012749963748358844705299406391447161298410877832,
11707331945334514286120137391947350087632085623772869951863164361695922976568,
50176353669915139758684707864014381736527453065793678083699453978150986704353,
7614231165138437703715796351400512419034157550777684039873810826440625723695,
17108745804308684637964438487237723214541645477949369557189249702220750722331,
28482709556494724328894800736802198653800073555798724636385135549439085356742,
22084621272529558534346674593668266856649195963035162420257478396107381285157,
11065046937453971018193111360820446155970823623967390073553725256595768408791,
20163386569362559253936962862374791389308839238220230985809310822791529262025,
3941572053547598429065422950522133819874343789089916995553450661687375302109,
26478286544099137612981910043301624023925078357447813396543283503388535703096,
20695873604353009531429015276900191600064214090812802713214397507580078182919,
13125722302273298866746961565666978849814465870768123336569424431819752980076,
36198064501926046106576802008779486932990788729159233810880339338049275796987,
44304460846758155168737768840994398685118878625607355725968797162919830864102,
33427295080737122973704388239917504856466726697805464799279074730831006493899,
33676819385378678616140345579679379172852136878360832374035200947147349341877,
44698579309865383047943970651850256651158236406641741596599260270592257060333,
9785548396072733556484927856146778907814788851086349315764873426432645263872,
13443943788901083053739342733252043423900693132812974385986650498262359453435,
50643729733611061821734405325096960434556494526582143101458996741611494836986,
9762302758250004682914036756566790454206292929079802149918241419991743778078,
19475373737975172049750799347581927313285945820087657933615778552974211829387,
26326676308398320579169539788392437654921007121904386041440053251920191437301,
33434337088018971767011967694326287068660679954245122268447231545106574191053,
21854837019991553667332010956652219921642250105983660108852707854862240766704,
1855873836256370364169888814967543928768577071445146807885001909257610924575,
48105724357874736702308498318239595022868478610964925776544998873327877770469,
6893757226114776013992120610353413647048965744053221939747330482283347049271,
49492933790401867565879330847407697876101917412920943837692305231776568086150,
43522959518323197786977932091172575965428037444858136419745890338308804820810,
39369220628770987071776708725487093142438968678975788148890686830600891659237,
24332002500271167754445178113059124234684848763578719088484322891936508359054,
32863475623207582419161401899951874256189430526558709698459253237664899579477,
8315390532973093090228198037973187268458339671135900692256692995983001224287,
41596164941281344945126840056611498785955123869980989807278169650894369778621,
41140021013127548285923961611241892352480288807646515822914427245468443615449,
42624333566444295089232230699974262280460377983015559040916764999567317327294,
29425841969458336716648866633284898031574592123216791821970989517602546368463,
20194832349178074328255630030474794676357522951312816945265283318496141911576,
33508834389330212986852784163678812323448884912646004437785005736522859730449,
20197489266521008707527755143868210833027985912465941510937472218208331469324,
38189796622106345878699238475711002255025750905901925248625120562682573353793,
48437331749916394313065146750618123382683254942785601073233866557242834888501,
34815884667490928168338620954175830688114531237099462583592020572423301193334,
1316079587764339149090919530288539945185249635387918305928554726824292235069,
33564480841331620167847153616337187248054503582700661803825728035418602546478,
4635634898381888421672273828316335969974599848444510316738469345444620659008,
8644506076646842294589324870931361199184791348209582052726445382015132439419,
39498585060657083972778194861599167626335350278223243726925173218749695943806,
42901602831339057007425445486193581840749112246589631302873671293308101878875,
20119933204882102974459031584507100339282292349398588923453836079377072829543,
7917862289043363038204972116125424279857433068189510615392330392863075948512,
41284417024025222157952919191031968108126105524670279472881067727309802924938,
11213861995768467857413038001306057240793870929626059934261458727946548965379,
2291742710611132809700323762125675349484016058554275673428643410085506076100,
30099159053997341705317995418169313532098300934328131162175924134794709943047,
447035513285578307783519781307142266645679652807941291454847780415896684065,
19941446202184504378547837635870560393064630187876613630546846906393007677289,
7595261399959684629699197426920893479848768772071384660164934610968891053864,
51598580281806900142260694365187051410317675046136337884836978415482902327015,
12450848281586712352554721829724230078424064515794153380314705783292880037478,
5237102499670441785007944785581992844697685968922355014280712201430686167152,
1412524057853628881005630586377727487233247150373319518286783509614859257068,
38519766408760192821848550196157518411386556623071006612683448412823634200875,
11338671486975802181674275776989710780888734229624346786700048285586675342901,
23124572501783393477231165425714476214042723292141825213493635111951207504070,
21528356110015199451243279738115385806356940590132503530639630620611521954326,
6284174238932569340060925799940162325946442751185026413727709496271066916876,
48373517651545249281510690416218268384343400250317171450103976311090286221260,
27752440147182328733098243645400559151338503658043397110598417983425635093551,
43156725395743020846958899706072234263962738024394096815001388170789961679788,
48906049704561774201639151262665470255437206145980347197443063657678740507943,
24918160465086526594937065443815615610757370328053649165018481775513828479869,
36462368786443951186110721729238677880688318912401935278190656741197184273952,
37367696075403883562827939745268661270924157618310868295845006320225084994632,
42130603320119794983803262970740129474583503116320676437504579920473229006778,
12096038367976885628335054904138821822550042039079703385879844461517464118581,
34671362090033614505367959844073659507869267381932134573786004532584171425818,
15908652423714359894720614650322760756461828514699821946843077879932200328081,
7518568119601342737128460613704294443674406422237476295695786631549469567412,
33513737101700389003254558060695049730922342329295390135821890558696123720054,
49765425774819103826723198731734445691737353182147628471479513204868044796119,
48731721046471530891684818884908827036844194399863789073273030545326532602503,
1994879948378542466338304292753049990663872919840272992167645879411261807091
];
}