Skip to content

Commit

Permalink
note conflict in tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@thor314
thor314 committed Aug 16, 2024
1 parent ddd4858 commit bbebe4e
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 86 deletions.
87 changes: 17 additions & 70 deletions circuits/aes-gcm/gfmulx.circom
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,61 +3,8 @@ pragma circom 2.1.9;
// include "circomlib/circuits/gates.circom";
include "helper_functions.circom";


// // Multiplies `in` by x in GF(2^128) defined by the
// // ghash irreducible polynomial x^128 + x^7 + x^2 + x + 1
// template ghash_GFMULX() {
// var size = 128;

// signal input in[size];
// signal output out[size];
// signal temp[size];


// // Get the most significant bit of the input signal
// var msb;
// msb = in[0]; /// [>1<,0,0,0,0,0,0,0]

// // Left shift input by 1 into temp
// for (var i = 0; i < size - 1; i++) {
// temp[i] <== in[i+1];
// }
// temp[size - 1] <== 0;

// component xor1 = XOR();
// component xor2 = XOR();
// component xor3 = XOR();
// component xor4 = XOR();

// // x^128 = x^7 + x^2 + x + 1
// // XOR the input with msb * (x^7 + x^2 + x + 1)
// for (var i = 0; i < size; i++) {
// if (i == size - 1) {
// // x^0 term
// xor1.a <== temp[i];
// xor1.b <== msb;
// out[i] <== xor1.out;
// } else if (i == size - 2) {
// // x^1 term
// xor2.a <== temp[i];
// xor2.b <== msb;
// out[i] <== xor2.out;
// } else if (i == size - 3) {
// // x^2 term
// xor3.a <== temp[i];
// xor3.b <== msb;
// out[i] <== xor3.out;
// } else if (i == size - 8) {
// // x^7 term
// xor4.a <== temp[i];
// xor4.b <== msb;
// out[i] <== xor4.out;
// }
// }
// }

// compute x * `in` over ghash polynomial
// ghash irreducible polynomial x^128 + x^7 + x^2 + x + 1
// ghash irreducible polynomial x^128 = x^7 + x^2 + x + 1
//
// spec:
// https://tools.ietf.org/html/rfc8452#appendix-A
Expand Down Expand Up @@ -97,44 +44,44 @@ template ghash_GFMULX() {
}

// compute x * `in` over polyval polynomial
// polyval irreducible polynomial x^128 + x^127 + x^126 + x^121 + 1
// polyval irreducible polynomial x^128 = x^127 + x^126 + x^121 + 1
//
// spec:
// https://tools.ietf.org/html/rfc8452#appendix-A
//
// rust-crypto reference implementation:
// https://github.com/RustCrypto/universal-hashes/blob/master/polyval/src/mulx.rs#L11
template polyval_GFMULX() {
var block = 128;
signal input in[block];
signal output out[block];
signal input in[128];
signal output out[128];
// v = in << 1; observe that LE makes this less straightforward
signal v[block];
// if `in` MSB set, assign irreducible poly bits, otherwise zero
signal irreducible_poly[block];
var msb = in[block - 8]; // endianness: 0 in polyval, 127(?) in ghash
signal v[128];
// if MSB set, assign irreducible poly bits, otherwise zero
signal irreducible_poly[128];
var msb = in[128 - 8];

component left_shift = LeftShiftLE(1);
for (var i = 0; i < block; i++) {
for (var i = 0; i < 128; i++) {
left_shift.in[i] <== in[i];
}
for (var i = 0; i < block; i++) {
for (var i = 0; i < 128; i++) {
v[i] <== left_shift.out[i];
}

// irreducible_poly has 1s at positions 1, 121, 126, 127
// 0000 0001... <== encodes 1
// ...1100 0010 <== encodes 121, 126, 127
// ...0100 0010 <== encodes 121, 126
for (var i = 0; i < 128; i++) {
// irreducible_poly has 1s at positions 1, 121, 126, 127
// 0000 0001... <== encodes 1
// ...1100 0010 <== encodes 121, 126, 127
if (i==7 || i == 120 || i==121 || i==126) {
// if (i==7 || i == 120 || i==121 || i==126) { // passes rust-crypto
if (i==7 || i==121 || i==126) { // passes ietf spec?
irreducible_poly[i] <== msb;
} else {
irreducible_poly[i] <== 0;
}
}

// compute out
component xor = BitwiseXor(block);
component xor = BitwiseXor(128);
xor.a <== v;
xor.b <== irreducible_poly;
out <== xor.out;
Expand Down
28 changes: 12 additions & 16 deletions circuits/test/gfmulx/polyval_mulx.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,13 +136,6 @@ const mulXTestVectors = [
"010000000000000000000000000000c2",
];

// polyval irreducible polynomial: x^128 + x^127 + x^126 + x^121 + 1
// note that polyval uses LE encoding.
const polyvalIrreduciblePolynomial: number[] = Array(120)
.fill(0)
.concat([1, 0, 0, 0, 0, 1, 1, 1])
.reverse();

describe("polyval_GFMulX", () => {
let circuit: WitnessTester<["in"], ["out"]>;

Expand All @@ -157,7 +150,6 @@ describe("polyval_GFMulX", () => {

it("test polyval at all bits set", async () => {
let bits = hexToBitArray("01000000000000000000000000000000");
// for (vector in mulXTestVectors) {
for (let i = 0; i < mulXTestVectors.length; i++) {
const expect = mulXTestVectors[i];
const _res = await circuit.compute({ in: bits }, ["out"]);
Expand All @@ -170,14 +162,18 @@ describe("polyval_GFMulX", () => {
}
});

// // ref: https://datatracker.ietf.org/doc/html/rfc8452#appendix-A
// it("compute IETF test 2", async () => {
// let bits = hexToBitArray("9c98c04df9387ded828175a92ba652d8");
// let expected_output = hexToBitArray("3931819bf271fada0503eb52574ca5f2");
// // console.log(bits);
// // console.log(expected_output);
// await circuit.expectPass({ in: bits }, { out: expected_output });
// });
// ref: https://datatracker.ietf.org/doc/html/rfc8452#appendix-A
it("compute IETF test 2", async () => {
let bits = hexToBitArray("9c98c04df9387ded828175a92ba652d8");
let expect = "3931819bf271fada0503eb52574ca5f2";
const _res = await circuit.compute({ in: bits }, ["out"]);
const result = bitArrayToHex(
(_res.out as (number | bigint)[]).map((bit) => Number(bit))
);
console.log("2");
console.log("expect: ", expect, "\nresult: ", result);
assert.equal(expect, result);
});

it("tests hexToBitArray", async () => {
let hex = "0F";
Expand Down

0 comments on commit bbebe4e

Please sign in to comment.