diff --git a/circuits/aes-gcm/component b/circuits/aes-gcm/component new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/circuits/aes-gcm/component @@ -0,0 +1 @@ + diff --git a/circuits/aes-gcm/gfmul.circom b/circuits/aes-gcm/gfmul.circom index 8d1df8b..ce04ac7 100644 --- a/circuits/aes-gcm/gfmul.circom +++ b/circuits/aes-gcm/gfmul.circom @@ -36,7 +36,6 @@ template MUL() { h[1] <== a[1]; y[0] <== b[0]; y[1] <== b[1]; - component Revs[4]; for (var i = 0; i < 2; i++) { Revs[i] = REV64(); @@ -83,7 +82,6 @@ template MUL() { BMUL64_z[i+3].y <== h_r[i]; zh[i] <== BMUL64_z[i+3].out; } - // _z2 = z0 ^ z1 ^ z2; // _z2h = z0h ^ z1h ^ z2h; signal _z2[64]; @@ -246,7 +244,6 @@ template BMUL64() { xor_multiples[i].inputs <== z_mid[i]; z[i] <== xor_multiples[i].out; } - // z_masked[i] = z[i] & masks[i] signal z_masked[4][64]; for (var i = 0; i < 4; i++) { diff --git a/circuits/aes-gcm/ghash.circom b/circuits/aes-gcm/ghash.circom index 02445c2..6caf10b 100644 --- a/circuits/aes-gcm/ghash.circom +++ b/circuits/aes-gcm/ghash.circom @@ -37,7 +37,8 @@ include "gfmul.circom"; template GHASH(NUM_BLOCKS) { signal input HashKey[2][64]; // Hash subkey (128 bits) signal input msg[NUM_BLOCKS][2][64]; // Input blocks (each 128 bits) - signal output tag[2][64]; // Output tag (128 bits) + signal output tag[128]; // Output tag (128 bits) + // signal output tag[2][64]; // Output tag (128 bits) // Intermediate tags signal intermediate[NUM_BLOCKS][2][64]; @@ -77,6 +78,10 @@ template GHASH(NUM_BLOCKS) { intermediate[i][1] <== gfmul[i].out[1]; } // Assign the final tag - tag[0] <== intermediate[NUM_BLOCKS-1][0]; - tag[1] <== intermediate[NUM_BLOCKS-1][1]; + for (var j = 0; j < 64; j++) { + tag[j] <== intermediate[NUM_BLOCKS-1][0][j]; + tag[j+64] <== intermediate[NUM_BLOCKS-1][1][j]; + } + // tag[0] <== intermediate[NUM_BLOCKS-1][0]; + // tag[1] <== intermediate[NUM_BLOCKS-1][1]; } diff --git a/circuits/aes-gcm/polyval.circom b/circuits/aes-gcm/polyval.circom new file mode 100644 index 0000000..1b3ccc0 --- /dev/null +++ b/circuits/aes-gcm/polyval.circom @@ -0,0 +1,12 @@ +template POLYVAL(n_msg_bits) +{ + signal input msg[n_msg_bits]; + signal input H[128]; + // signal input T[2][64]; // TODO + signal output out[128]; + + for (var i = 0; i < 128; i++) { + out[i] <== 1; + } + +} \ No newline at end of file diff --git a/circuits/test/hashes/ghash.test.ts b/circuits/test/hashes/ghash.test.ts index 9cac752..3b3fc4e 100644 --- a/circuits/test/hashes/ghash.test.ts +++ b/circuits/test/hashes/ghash.test.ts @@ -7,30 +7,26 @@ const H = hexToBitArray("25629347589242761d31f826ba4b757b"); const X1 = "4f4f95668c83dfb6401762bb2d01a262"; const X2 = "d1a24ddd2721d006bbe45f20d3c9f362"; const M = hexToBitArray(X1.concat(X2)); -const EXPECT = "bd9b3997046731fb96251b91f9c99d7a"; +const EXPECT = hexToBitArray("bd9b3997046731fb96251b91f9c99d7a"); describe("ghash-hash", () => { - let circuit: WitnessTester<["msg", "H"], ["out"]>; + let circuit: WitnessTester<["HashKey", "msg"], ["tag"]>; before(async () => { circuit = await circomkit.WitnessTester(`ghash`, { - file: "aes-gcm/hashes", + file: "aes-gcm/ghash", template: "GHASH", - params: [128 * 2], + params: [2], }); // console.log("#constraints:", await circuit.getConstraintCount()); }); it("test ghash", async () => { - const input = { msg: M, H: H }; - const _res = await circuit.compute(input, ["out"]); - // TODO(TK 2024-08-15): bug, result returns 256 bits - // take the first 32 bytes - const result = bitArrayToHex( - (_res.out as number[]).map((bit) => Number(bit)) - ).slice(0, 32); - console.log("expect: ", EXPECT, "\nresult: ", result); - assert.equal(result, EXPECT); + const input = { HashKey: H, msg: M }; + console.log("input message length: ", input.msg.length); + console.log("input hash key length: ", input.HashKey.length); + console.log("input message: ", EXPECT); + const _res = await circuit.expectPass(input, { tag: EXPECT }); }); }); diff --git a/circuits/test/hashes/polyval.test.ts b/circuits/test/hashes/polyval.test.ts index 75ca7ca..8ada108 100644 --- a/circuits/test/hashes/polyval.test.ts +++ b/circuits/test/hashes/polyval.test.ts @@ -14,7 +14,7 @@ describe("polyval", () => { before(async () => { circuit = await circomkit.WitnessTester(`polyval`, { - file: "aes-gcm/hashes", + file: "aes-gcm/polyval", template: "POLYVAL", params: [128 * 2], });