Skip to content

Commit

Permalink
feat: Ghash exterior template (#62)
Browse files Browse the repository at this point in the history
* impl bmul multiplication subroutine

* impl gfmul (mostly)

* implement rest of mul

* ghash: full hash

* wip: ghash + tests

* bug squashed, onto the next one

* diagram adjust

* test harness working

---------

Co-authored-by: Thor Kampefner <[email protected]>
  • Loading branch information
0xJepsen and thor314 authored Sep 16, 2024
1 parent 8616f12 commit e574c54
Show file tree
Hide file tree
Showing 6 changed files with 31 additions and 20 deletions.
1 change: 1 addition & 0 deletions circuits/aes-gcm/component
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

3 changes: 0 additions & 3 deletions circuits/aes-gcm/gfmul.circom
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@ template MUL() {
h[1] <== a[1];
y[0] <== b[0];
y[1] <== b[1];

component Revs[4];
for (var i = 0; i < 2; i++) {
Revs[i] = REV64();
Expand Down Expand Up @@ -83,7 +82,6 @@ template MUL() {
BMUL64_z[i+3].y <== h_r[i];
zh[i] <== BMUL64_z[i+3].out;
}

// _z2 = z0 ^ z1 ^ z2;
// _z2h = z0h ^ z1h ^ z2h;
signal _z2[64];
Expand Down Expand Up @@ -246,7 +244,6 @@ template BMUL64() {
xor_multiples[i].inputs <== z_mid[i];
z[i] <== xor_multiples[i].out;
}

// z_masked[i] = z[i] & masks[i]
signal z_masked[4][64];
for (var i = 0; i < 4; i++) {
Expand Down
11 changes: 8 additions & 3 deletions circuits/aes-gcm/ghash.circom
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,8 @@ include "gfmul.circom";
template GHASH(NUM_BLOCKS) {
signal input HashKey[2][64]; // Hash subkey (128 bits)
signal input msg[NUM_BLOCKS][2][64]; // Input blocks (each 128 bits)
signal output tag[2][64]; // Output tag (128 bits)
signal output tag[128]; // Output tag (128 bits)
// signal output tag[2][64]; // Output tag (128 bits)

// Intermediate tags
signal intermediate[NUM_BLOCKS][2][64];
Expand Down Expand Up @@ -77,6 +78,10 @@ template GHASH(NUM_BLOCKS) {
intermediate[i][1] <== gfmul[i].out[1];
}
// Assign the final tag
tag[0] <== intermediate[NUM_BLOCKS-1][0];
tag[1] <== intermediate[NUM_BLOCKS-1][1];
for (var j = 0; j < 64; j++) {
tag[j] <== intermediate[NUM_BLOCKS-1][0][j];
tag[j+64] <== intermediate[NUM_BLOCKS-1][1][j];
}
// tag[0] <== intermediate[NUM_BLOCKS-1][0];
// tag[1] <== intermediate[NUM_BLOCKS-1][1];
}
12 changes: 12 additions & 0 deletions circuits/aes-gcm/polyval.circom
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
template POLYVAL(n_msg_bits)
{
signal input msg[n_msg_bits];
signal input H[128];
// signal input T[2][64]; // TODO
signal output out[128];

for (var i = 0; i < 128; i++) {
out[i] <== 1;
}

}
22 changes: 9 additions & 13 deletions circuits/test/hashes/ghash.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,30 +7,26 @@ const H = hexToBitArray("25629347589242761d31f826ba4b757b");
const X1 = "4f4f95668c83dfb6401762bb2d01a262";
const X2 = "d1a24ddd2721d006bbe45f20d3c9f362";
const M = hexToBitArray(X1.concat(X2));
const EXPECT = "bd9b3997046731fb96251b91f9c99d7a";
const EXPECT = hexToBitArray("bd9b3997046731fb96251b91f9c99d7a");

describe("ghash-hash", () => {
let circuit: WitnessTester<["msg", "H"], ["out"]>;
let circuit: WitnessTester<["HashKey", "msg"], ["tag"]>;

before(async () => {
circuit = await circomkit.WitnessTester(`ghash`, {
file: "aes-gcm/hashes",
file: "aes-gcm/ghash",
template: "GHASH",
params: [128 * 2],
params: [2],
});
// console.log("#constraints:", await circuit.getConstraintCount());
});

it("test ghash", async () => {
const input = { msg: M, H: H };
const _res = await circuit.compute(input, ["out"]);
// TODO(TK 2024-08-15): bug, result returns 256 bits
// take the first 32 bytes
const result = bitArrayToHex(
(_res.out as number[]).map((bit) => Number(bit))
).slice(0, 32);
console.log("expect: ", EXPECT, "\nresult: ", result);
assert.equal(result, EXPECT);
const input = { HashKey: H, msg: M };
console.log("input message length: ", input.msg.length);
console.log("input hash key length: ", input.HashKey.length);
console.log("input message: ", EXPECT);
const _res = await circuit.expectPass(input, { tag: EXPECT });
});
});

Expand Down
2 changes: 1 addition & 1 deletion circuits/test/hashes/polyval.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ describe("polyval", () => {

before(async () => {
circuit = await circomkit.WitnessTester(`polyval`, {
file: "aes-gcm/hashes",
file: "aes-gcm/polyval",
template: "POLYVAL",
params: [128 * 2],
});
Expand Down

0 comments on commit e574c54

Please sign in to comment.