feat(rln): import sapling-based poseidon

From RLN lib, should probably be rewritten to use arkworks
2022-03-17 14:52:34 +08:00 · 2022-03-17 14:52:34 +08:00 · 445c12da29
parent 6bc2fcabaa
commit 445c12da29
3 changed files with 240 additions and 0 deletions
--- a/rln/Cargo.toml
+++ b/rln/Cargo.toml
@ -56,3 +56,8 @@ zkp-u256 = { version = "0.2", optional = true }
 ethers-core = "0.6.3"

 tiny-keccak = "2.0.2"
+
+blake2 = "0.8.1"
+
+# TODO Remove this and use arkworks instead
+sapling-crypto = { package = "sapling-crypto_ce", version = "0.1.3", default-features = false }
--- a/rln/src/lib.rs
+++ b/rln/src/lib.rs
@ -9,6 +9,8 @@ pub mod poseidon_tree;
 pub mod public;
 pub mod util;

+pub mod poseidon;
+
 #[cfg(test)]
 mod test {
    use super::*;
--- a/rln/src/poseidon.rs
+++ b/rln/src/poseidon.rs
@ -0,0 +1,233 @@
+// Adapted from https://github.com/kilic/rln/blob/master/src/poseidon.rs
+//
+use blake2::{Blake2s, Digest};
+
+use sapling_crypto::bellman::pairing::ff::{Field, PrimeField, PrimeFieldRepr};
+use sapling_crypto::bellman::pairing::Engine;
+
+// TODO: Using arkworks libs here instead
+//use ff::{Field, PrimeField, PrimeFieldRepr};
+//use ark_ec::{PairingEngine as Engine};
+
+#[derive(Clone)]
+pub struct PoseidonParams<E: Engine> {
+    rf: usize,
+    rp: usize,
+    t: usize,
+    round_constants: Vec<E::Fr>,
+    mds_matrix: Vec<E::Fr>,
+}
+
+#[derive(Clone)]
+pub struct Poseidon<E: Engine> {
+    params: PoseidonParams<E>,
+}
+
+impl<E: Engine> PoseidonParams<E> {
+    pub fn new(
+        rf: usize,
+        rp: usize,
+        t: usize,
+        round_constants: Option<Vec<E::Fr>>,
+        mds_matrix: Option<Vec<E::Fr>>,
+        seed: Option<Vec<u8>>,
+    ) -> PoseidonParams<E> {
+        let seed = match seed {
+            Some(seed) => seed,
+            None => b"".to_vec(),
+        };
+
+        let _round_constants = match round_constants {
+            Some(round_constants) => round_constants,
+            None => PoseidonParams::<E>::generate_constants(b"drlnhdsc", seed.clone(), rf + rp),
+        };
+        assert_eq!(rf + rp, _round_constants.len());
+
+        let _mds_matrix = match mds_matrix {
+            Some(mds_matrix) => mds_matrix,
+            None => PoseidonParams::<E>::generate_mds_matrix(b"drlnhdsm", seed.clone(), t),
+        };
+        PoseidonParams {
+            rf,
+            rp,
+            t,
+            round_constants: _round_constants,
+            mds_matrix: _mds_matrix,
+        }
+    }
+
+    pub fn width(&self) -> usize {
+        return self.t;
+    }
+
+    pub fn partial_round_len(&self) -> usize {
+        return self.rp;
+    }
+
+    pub fn full_round_half_len(&self) -> usize {
+        return self.rf / 2;
+    }
+
+    pub fn total_rounds(&self) -> usize {
+        return self.rf + self.rp;
+    }
+
+    pub fn round_constant(&self, round: usize) -> E::Fr {
+        return self.round_constants[round];
+    }
+
+    pub fn mds_matrix_row(&self, i: usize) -> Vec<E::Fr> {
+        let w = self.width();
+        self.mds_matrix[i * w..(i + 1) * w].to_vec()
+    }
+
+    pub fn mds_matrix(&self) -> Vec<E::Fr> {
+        self.mds_matrix.clone()
+    }
+
+    pub fn generate_mds_matrix(persona: &[u8; 8], seed: Vec<u8>, t: usize) -> Vec<E::Fr> {
+        let v: Vec<E::Fr> = PoseidonParams::<E>::generate_constants(persona, seed, t * 2);
+        let mut matrix: Vec<E::Fr> = Vec::with_capacity(t * t);
+        for i in 0..t {
+            for j in 0..t {
+                let mut tmp = v[i];
+                tmp.add_assign(&v[t + j]);
+                let entry = tmp.inverse().unwrap();
+                matrix.insert((i * t) + j, entry);
+            }
+        }
+        matrix
+    }
+
+    pub fn generate_constants(persona: &[u8; 8], seed: Vec<u8>, len: usize) -> Vec<E::Fr> {
+        let mut constants: Vec<E::Fr> = Vec::new();
+        let mut source = seed.clone();
+        loop {
+            let mut hasher = Blake2s::new();
+            hasher.input(persona);
+            hasher.input(source);
+            source = hasher.result().to_vec();
+            let mut candidate_repr = <E::Fr as PrimeField>::Repr::default();
+            candidate_repr.read_le(&source[..]).unwrap();
+            if let Ok(candidate) = E::Fr::from_repr(candidate_repr) {
+                constants.push(candidate);
+                if constants.len() == len {
+                    break;
+                }
+            }
+        }
+        constants
+    }
+}
+
+impl<E: Engine> Poseidon<E> {
+    pub fn new(params: PoseidonParams<E>) -> Poseidon<E> {
+        Poseidon { params }
+    }
+
+    pub fn hash(&self, inputs: Vec<E::Fr>) -> E::Fr {
+        let mut state = inputs.clone();
+        state.resize(self.t(), E::Fr::zero());
+        let mut round_counter: usize = 0;
+        loop {
+            self.round(&mut state, round_counter);
+            round_counter += 1;
+            if round_counter == self.params.total_rounds() {
+                break;
+            }
+        }
+        state[0]
+    }
+
+    fn t(&self) -> usize {
+        self.params.t
+    }
+
+    fn round(&self, state: &mut Vec<E::Fr>, round: usize) {
+        let a1 = self.params.full_round_half_len();
+        let a2 = a1 + self.params.partial_round_len();
+        let a3 = self.params.total_rounds();
+        if round < a1 {
+            self.full_round(state, round);
+        } else if round >= a1 && round < a2 {
+            self.partial_round(state, round);
+        } else if round >= a2 && round < a3 {
+            if round == a3 - 1 {
+                self.full_round_last(state);
+            } else {
+                self.full_round(state, round);
+            }
+        } else {
+            panic!("should not be here")
+        }
+    }
+
+    fn full_round(&self, state: &mut Vec<E::Fr>, round: usize) {
+        self.add_round_constants(state, round);
+        self.apply_quintic_sbox(state, true);
+        self.mul_mds_matrix(state);
+    }
+
+    fn full_round_last(&self, state: &mut Vec<E::Fr>) {
+        let last_round = self.params.total_rounds() - 1;
+        self.add_round_constants(state, last_round);
+        self.apply_quintic_sbox(state, true);
+    }
+
+    fn partial_round(&self, state: &mut Vec<E::Fr>, round: usize) {
+        self.add_round_constants(state, round);
+        self.apply_quintic_sbox(state, false);
+        self.mul_mds_matrix(state);
+    }
+
+    fn add_round_constants(&self, state: &mut Vec<E::Fr>, round: usize) {
+        for (_, b) in state.iter_mut().enumerate() {
+            let c = self.params.round_constants[round];
+            b.add_assign(&c);
+        }
+    }
+
+    fn apply_quintic_sbox(&self, state: &mut Vec<E::Fr>, full: bool) {
+        for s in state.iter_mut() {
+            let mut b = s.clone();
+            b.square();
+            b.square();
+            s.mul_assign(&b);
+            if !full {
+                break;
+            }
+        }
+    }
+
+    fn mul_mds_matrix(&self, state: &mut Vec<E::Fr>) {
+        let w = self.params.t;
+        let mut new_state = vec![E::Fr::zero(); w];
+        for (i, ns) in new_state.iter_mut().enumerate() {
+            for (j, s) in state.iter().enumerate() {
+                let mut tmp = s.clone();
+                tmp.mul_assign(&self.params.mds_matrix[i * w + j]);
+                ns.add_assign(&tmp);
+            }
+        }
+        for (i, ns) in new_state.iter_mut().enumerate() {
+            state[i].clone_from(ns);
+        }
+    }
+}
+
+#[test]
+fn test_poseidon_hash() {
+    use sapling_crypto::bellman::pairing::bn256;
+    use sapling_crypto::bellman::pairing::bn256::{Bn256, Fr};
+    let params = PoseidonParams::<Bn256>::new(8, 55, 3, None, None, None);
+    let hasher = Poseidon::<Bn256>::new(params);
+    let input1: Vec<Fr> = ["0"].iter().map(|e| Fr::from_str(e).unwrap()).collect();
+    let r1: Fr = hasher.hash(input1);
+    let input2: Vec<Fr> = ["0", "0"]
+        .iter()
+        .map(|e| Fr::from_str(e).unwrap())
+        .collect();
+    let r2: Fr = hasher.hash(input2.to_vec());
+    // println!("{:?}", r1);
+    assert_eq!(r1, r2, "just to see if internal state resets");
+}