From e70b9d23ea9080206a9c4040978ab1eec2a82cb8 Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Tue, 17 Sep 2024 18:00:40 -0700 Subject: [PATCH 01/15] temp push --- circuits/aes-gcm/ghash.circom | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/circuits/aes-gcm/ghash.circom b/circuits/aes-gcm/ghash.circom index dd20b90..714373e 100644 --- a/circuits/aes-gcm/ghash.circom +++ b/circuits/aes-gcm/ghash.circom @@ -1,6 +1,7 @@ pragma circom 2.1.9; -include "helper_functions.circom"; +// include "helper_functions.circom"; include "gfmul.circom"; +include "gfmulx.circom"; // GHASH computes the authentication tag for AES-GCM. // Inputs: @@ -101,7 +102,7 @@ template GHASH(NUM_BLOCKS) { for (var i = 1; i < NUM_BLOCKS; i++) { xor[i][0] = BitwiseXor(64); xor[i][1] = BitwiseXor(64); - gfmul[i] = MUL(); + gfmul[i] = GMUL(); // XOR current block with the previous intermediate result // note: intermediate[0] is initialized to zero, so all rounds are valid @@ -127,3 +128,29 @@ template GHASH(NUM_BLOCKS) { // tag[0] <== intermediate[NUM_BLOCKS-1][0]; // tag[1] <== intermediate[NUM_BLOCKS-1][1]; } + +template GMUL() { + signal input a[2][64]; + signal input b[2][64]; + signal output out[2][64]; +} + +// Transform the GHASH hash key to a Polyval hash key +// reverse the bits of `in` and multiply `h` by x +template ghash_to_polyval_hash_key() { + signal input in[128]; + signal output out[128]; + + signal mid[128]; + for (i = 0; i < 128; i++){ + mid[128-i] <== in[i]; + } + + component MULX; + MULX = polyval_GFMULX(); + for (i = 0; i < 128; i++){ + MULX.in[i] <== mid[i]; + } + + out <== MULX.out; +} From 4be68c3e284ec9306b741f0f0bedbe408f1e72f8 Mon Sep 17 00:00:00 2001 From: Waylon Jepsen Date: Tue, 17 Sep 2024 19:15:31 -0600 Subject: [PATCH 02/15] test --- Cargo.lock | 7 +++++++ Cargo.toml | 1 + circuits/test/hashes/ghash.test.ts | 33 ++++++++++++++++++++++++++++++ src/main.rs | 31 ++++++++++++++++++++++++++++ 4 files changed, 72 insertions(+) diff --git a/Cargo.lock b/Cargo.lock index f21ce3e..09614e3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -110,6 +110,7 @@ dependencies = [ "ctr 0.9.2", "ghash 0.5.1", "hex", + "hex-literal", "serde", "serde_json", "tokio", @@ -1140,6 +1141,12 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" +[[package]] +name = "hex-literal" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6fe2267d4ed49bc07b63801559be28c718ea06c4738b7a03c94df7386d2cde46" + [[package]] name = "hmac" version = "0.12.1" diff --git a/Cargo.toml b/Cargo.toml index 9ace1be..ee430e1 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -26,6 +26,7 @@ ark-serialize = { version = "0.4.1", default-features = false } anyhow = "1.0.86" serde = "1.0.204" serde_json = "1.0.122" +hex-literal = "0.4.1" [profile.release] lto = true diff --git a/circuits/test/hashes/ghash.test.ts b/circuits/test/hashes/ghash.test.ts index 3b3fc4e..7782fdf 100644 --- a/circuits/test/hashes/ghash.test.ts +++ b/circuits/test/hashes/ghash.test.ts @@ -9,6 +9,39 @@ const X2 = "d1a24ddd2721d006bbe45f20d3c9f362"; const M = hexToBitArray(X1.concat(X2)); const EXPECT = hexToBitArray("bd9b3997046731fb96251b91f9c99d7a"); +// Thor this is the test for GMUL you asked for <3 +describe("gfmul", () => { + let circuit: WitnessTester<["a", "b"], ["out"]>; + + before(async () => { + circuit = await circomkit.WitnessTester(`gfmul`, { + file: "aes-gcm/gfmul", + template: "GMUL", + }); + }); + + // these test vectors are from rust-crypto + // to reproduce run `cargo test ghash -- --nocapture` + // let hash_key = [0xaa, 0xe0, 0x69, 0x92, 0xac, 0xbf, 0x52, 0xa3, 0xe8, 0xf4, 0xa9, 0x6e, 0xc9, 0x30, 0x0b, 0xd7]; + // let ct = [0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41, 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00]; + // let expected = [0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb]; + + // i don't know what api you were going to build so here they are broken into lower and upper 64 bit vectors + let lower_h = hexToBitArray("0xaae06992acbf52a3"); // little endian hex vectors + let upper_h = hexToBitArray("0xe8f4a96ec9300bd7"); + + let lower_x = hexToBitArray("0x98e7247c07f0fe41"); + let upper_x = hexToBitArray("0x1c267e4384b0f600"); + + + it("test gmul", async () => { + const input = { a: H, b: M }; + const _res = await circuit.expectPass(input, { out: EXPECT }); + }); +}); + + + describe("ghash-hash", () => { let circuit: WitnessTester<["HashKey", "msg"], ["tag"]>; diff --git a/src/main.rs b/src/main.rs index 3d7670a..6d1cbd0 100644 --- a/src/main.rs +++ b/src/main.rs @@ -98,4 +98,35 @@ mod tests { println!("msg={}", hex::encode(message)); println!("ct={}", hex::encode(ct)); } + + #[tokio::test] + async fn test_ghash() { + use ghash::{ + universal_hash::{KeyInit, UniversalHash}, + GHash, + }; + use hex_literal::hex; + + const H: [u8; 16] = hex!("aae06992acbf52a3e8f4a96ec9300bd7"); + const X_1: [u8; 16] = hex!("98e7247c07f0fe411c267e4384b0f600"); + + let mut ghash = GHash::new(&H.into()); + ghash.update(&[X_1.into()]); + let result = ghash.finalize(); + + let hash_key = [0xaa, 0xe0, 0x69, 0x92, 0xac, 0xbf, 0x52, 0xa3, 0xe8, 0xf4, 0xa9, 0x6e, 0xc9, 0x30, 0x0b, 0xd7]; + let ct = [0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41, 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00]; + let expected = [0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb]; + + // Alternative. + let mut ghash2 = GHash::new_with_init_block(&hash_key.into(), 0); + let ga_data = GenericArray::from_slice(&ct); + ghash2.update(&[*ga_data]); + let result2 = ghash2.finalize(); + + println!("GHASH NEW result: {:?}", hex::encode(result.as_slice())); + println!("GHASH OLD result: {:?}", hex::encode(result2.as_slice())); + println!("expected: {:?}", hex::encode(expected)); + + } } From 1cb74e359c42a18eaaaab0fb8f34e88ccba59aff Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Wed, 18 Sep 2024 12:22:48 -0700 Subject: [PATCH 03/15] Testing: Tests set up, naming and paths clarified, and some removal of deprecated or confusing code paths. In particular, tests updated for: - ghash - polyval - ghash_gfmul - hashkey_transform (used by ghash) --- circuits/aes-gcm/ghash.circom | 50 ++++---- circuits/aes-gcm/ghash_gfmul.circom | 11 ++ circuits/aes-gcm/helper_functions.circom | 12 +- circuits/aes-gcm/mul.circom | 121 ------------------ circuits/aes-gcm/polyval.circom | 3 +- .../{gfmul.circom => polyval_gfmul.circom} | 4 +- circuits/aes-gcm/wrapping_mul.circom | 42 ++++++ circuits/test/bitreversal.test.ts | 24 ---- circuits/test/ghash_gfmul.test.ts | 38 ++++++ circuits/test/hashes/ghash.test.ts | 66 +++------- circuits/test/hashes/polyval.test.ts | 37 +++++- circuits/test/helper_functions.test.ts | 26 ++++ .../{gfmul.test.ts => polyval_gfmul.test.ts} | 101 +++++++-------- circuits/test/wrapping_mul.test.ts | 2 +- src/main.rs | 30 +++-- 15 files changed, 270 insertions(+), 297 deletions(-) create mode 100644 circuits/aes-gcm/ghash_gfmul.circom delete mode 100644 circuits/aes-gcm/mul.circom rename circuits/aes-gcm/{gfmul.circom => polyval_gfmul.circom} (99%) create mode 100644 circuits/aes-gcm/wrapping_mul.circom delete mode 100644 circuits/test/bitreversal.test.ts create mode 100644 circuits/test/ghash_gfmul.test.ts create mode 100644 circuits/test/helper_functions.test.ts rename circuits/test/{gfmul.test.ts => polyval_gfmul.test.ts} (81%) diff --git a/circuits/aes-gcm/ghash.circom b/circuits/aes-gcm/ghash.circom index 714373e..829935f 100644 --- a/circuits/aes-gcm/ghash.circom +++ b/circuits/aes-gcm/ghash.circom @@ -1,6 +1,5 @@ pragma circom 2.1.9; -// include "helper_functions.circom"; -include "gfmul.circom"; +include "polyval_gfmul.circom"; include "gfmulx.circom"; // GHASH computes the authentication tag for AES-GCM. @@ -102,7 +101,7 @@ template GHASH(NUM_BLOCKS) { for (var i = 1; i < NUM_BLOCKS; i++) { xor[i][0] = BitwiseXor(64); xor[i][1] = BitwiseXor(64); - gfmul[i] = GMUL(); + gfmul[i] = POLYVAL_GFMUL(); // TODO(TK 2024-09-18): Update this for ghash // XOR current block with the previous intermediate result // note: intermediate[0] is initialized to zero, so all rounds are valid @@ -129,28 +128,33 @@ template GHASH(NUM_BLOCKS) { // tag[1] <== intermediate[NUM_BLOCKS-1][1]; } -template GMUL() { - signal input a[2][64]; - signal input b[2][64]; - signal output out[2][64]; -} -// Transform the GHASH hash key to a Polyval hash key +// Transform the GHASH hash key to a POLYVAL hash key // reverse the bits of `in` and multiply `h` by x -template ghash_to_polyval_hash_key() { +// +// h.reverse(); +// let mut h_polyval = polyval::mulx(&h); +// let result = GHash(Polyval::new_with_init_block(&h_polyval, init_block)); +template TranslateHashkey() { signal input in[128]; signal output out[128]; - signal mid[128]; - for (i = 0; i < 128; i++){ - mid[128-i] <== in[i]; - } - - component MULX; - MULX = polyval_GFMULX(); - for (i = 0; i < 128; i++){ - MULX.in[i] <== mid[i]; - } - - out <== MULX.out; -} +// signal mid[128]; + +// // reverse bytes +// for (i = 0; i < 16; i++) { +// for (j = 0; j < 8; j++){ +// var IDX_FROM = 120-i*8+j; +// var IDX_TO = i*8+j; +// mid[IDX_TO] <== in[IDX_FROM]; +// } +// } + +// component MULX; +// MULX = polyval_GFMULX(); +// for (i = 0; i < 128; i++){ +// MULX.in[i] <== mid[i]; +// } + +// out <== MULX.out; +// } diff --git a/circuits/aes-gcm/ghash_gfmul.circom b/circuits/aes-gcm/ghash_gfmul.circom new file mode 100644 index 0000000..8c78ce2 --- /dev/null +++ b/circuits/aes-gcm/ghash_gfmul.circom @@ -0,0 +1,11 @@ +pragma circom 2.1.9; +include "polyval_gfmul.circom"; +include "gfmulx.circom"; + +template GHASH_GFMUL() { + signal input a[2][64]; + signal input b[2][64]; + signal output out[2][64]; + + // TODO(TK 2024-09-18): produce a ghash mul wrapper +} diff --git a/circuits/aes-gcm/helper_functions.circom b/circuits/aes-gcm/helper_functions.circom index 97e6bbb..6524fe8 100644 --- a/circuits/aes-gcm/helper_functions.circom +++ b/circuits/aes-gcm/helper_functions.circom @@ -334,16 +334,6 @@ template IndexSelector(total) { out <== calcTotal.sum; } -// reverse the order in an n-bit array -template ReverseArray(n) { - signal input in[n]; - signal output out[n]; - - for (var i = 0; i < n; i++) { - out[i] <== in[n-i-1]; - } -} - // reverse the byte order in a 16 byte array template ReverseByteArray() { signal input in[128]; @@ -354,4 +344,4 @@ template ReverseByteArray() { out[j + 8*i] <== in[(15-i)*8 +j]; } } -} \ No newline at end of file +} diff --git a/circuits/aes-gcm/mul.circom b/circuits/aes-gcm/mul.circom deleted file mode 100644 index c4108a1..0000000 --- a/circuits/aes-gcm/mul.circom +++ /dev/null @@ -1,121 +0,0 @@ -pragma circom 2.1.9; - -include "helper_functions.circom"; - -// 64-bit BE wrapping multiplication. -// Implements multiplication mod 2^{64}. -template WrappingMul64() { - signal input a[64]; - signal input b[64]; - signal output out[64]; - - // Intermediate signals for partial products - // partial[i,j corresponds to AND(a[i], b[j]) - signal partials[64][64]; - for (var i = 0; i < 64; i++) { - for (var j = 0; j < 64; j++) { - partials[i][j] <== a[i] * b[j]; - } - } - - // 65, not 64, to allow for an extra carry without having to fiddle with overflow - var sum[65]; - for (var i=0; i<65; i++) { sum[i]=0; } - - for (var i = 0; i<64; i++) { - for (var j = 0; i+j<64; j++) { - var SUM_IDX = 64-i-j; - sum[SUM_IDX] += partials[63-i][63-j]; - - // covers the case that sum[i+j]=3 or more, due to prior carries - while (sum[SUM_IDX] > 1) { - sum[SUM_IDX] -= 2; - sum[SUM_IDX-1] += 1; - } - } - } - - // Perform modular reduction (keep only the lower 64 bits) - for (var i = 0; i < 64; i++) { - out[i] <-- sum[i+1]; - } -} - -// todo: deprecate -template Mul() -{ - signal input src1[64]; - signal input src2[64]; - signal output out[128]; - - var i, j, k; - - var dst_bytes[2][64]; - var src1_bytes[64], src2_bytes[64]; - - for(i=0; i<8; i++) - { - for(j=0; j<8; j++) - { - src1_bytes[i*8+j] = src1[i*8+7-j]; - src2_bytes[i*8+j] = src2[i*8+7-j]; - } - } - - component xor_1[64][2][64]; - - var const_bytes[64]; - for(i=0; i<64; i++) - { - dst_bytes[0][i] = 0; - dst_bytes[1][i] = 0; - const_bytes[i] = 0; - } - const_bytes[63] = 1; - - for(i=0; i<64; i++) - { - var src1_bytes_t[64]; - for(j=0; j<64; j++) - { - src1_bytes_t[j] = src1_bytes[j] * src2_bytes[i]; - xor_1[i][0][j] = XOR(); - - xor_1[i][0][j].a <== dst_bytes[1][j]; - xor_1[i][0][j].b <== src1_bytes_t[j]; - - dst_bytes[1][j] = xor_1[i][0][j].out; - } - for(j=0; j<63; j++) - { - dst_bytes[0][j] = dst_bytes[0][j+1]; - } - dst_bytes[0][63] = 0; - - var const_bytes_t[64]; - for(j=0; j<64; j++) - { - const_bytes_t[j] = const_bytes[j] * dst_bytes[1][0]; - xor_1[i][1][j] = XOR(); - - xor_1[i][1][j].a <== dst_bytes[0][j]; - xor_1[i][1][j].b <== const_bytes_t[j]; - - dst_bytes[0][j] = xor_1[i][1][j].out; - } - for(j=0; j<63; j++) - { - dst_bytes[1][j] = dst_bytes[1][j+1]; - } - dst_bytes[1][63] = 0; - } - - for(i=0; i<2; i++) - { - for(j=0; j<8; j++) - { - for(k=0; k<8; k++) out[i*64+j*8+k] <== dst_bytes[i][j*8+7-k]; - } - } - -} diff --git a/circuits/aes-gcm/polyval.circom b/circuits/aes-gcm/polyval.circom index 1b3ccc0..50d33c4 100644 --- a/circuits/aes-gcm/polyval.circom +++ b/circuits/aes-gcm/polyval.circom @@ -8,5 +8,4 @@ template POLYVAL(n_msg_bits) for (var i = 0; i < 128; i++) { out[i] <== 1; } - -} \ No newline at end of file +} diff --git a/circuits/aes-gcm/gfmul.circom b/circuits/aes-gcm/polyval_gfmul.circom similarity index 99% rename from circuits/aes-gcm/gfmul.circom rename to circuits/aes-gcm/polyval_gfmul.circom index ce04ac7..23ac61e 100644 --- a/circuits/aes-gcm/gfmul.circom +++ b/circuits/aes-gcm/polyval_gfmul.circom @@ -1,6 +1,6 @@ pragma circom 2.1.9; -include "mul.circom"; +include "wrapping_mul.circom"; // Computes carryless POLYVAL multiplication over GF(2^128) in constant time. // @@ -21,7 +21,7 @@ include "mul.circom"; // This shift is unnecessary for POLYVAL and has been removed. // // ref: https://github.com/RustCrypto/universal-hashes/blob/master/polyval/src/backend/soft64.rs#L151 -template MUL() { +template POLYVAL_GFMUL() { signal input a[2][64]; signal input b[2][64]; signal output out[2][64]; diff --git a/circuits/aes-gcm/wrapping_mul.circom b/circuits/aes-gcm/wrapping_mul.circom new file mode 100644 index 0000000..d9dc8bb --- /dev/null +++ b/circuits/aes-gcm/wrapping_mul.circom @@ -0,0 +1,42 @@ +pragma circom 2.1.9; + +include "helper_functions.circom"; + +// 64-bit BE wrapping multiplication. +// Implements multiplication mod 2^{64}. +template WrappingMul64() { + signal input a[64]; + signal input b[64]; + signal output out[64]; + + // Intermediate signals for partial products + // partial[i,j corresponds to AND(a[i], b[j]) + signal partials[64][64]; + for (var i = 0; i < 64; i++) { + for (var j = 0; j < 64; j++) { + partials[i][j] <== a[i] * b[j]; + } + } + + // 65, not 64, to allow for an extra carry without having to fiddle with overflow + var sum[65]; + for (var i=0; i<65; i++) { sum[i]=0; } + + for (var i = 0; i<64; i++) { + for (var j = 0; i+j<64; j++) { + var SUM_IDX = 64-i-j; + sum[SUM_IDX] += partials[63-i][63-j]; + + // covers the case that sum[i+j]=3 or more, due to prior carries + while (sum[SUM_IDX] > 1) { + sum[SUM_IDX] -= 2; + sum[SUM_IDX-1] += 1; + } + } + } + + // Perform modular reduction (keep only the lower 64 bits) + for (var i = 0; i < 64; i++) { + out[i] <-- sum[i+1]; + } +} diff --git a/circuits/test/bitreversal.test.ts b/circuits/test/bitreversal.test.ts deleted file mode 100644 index 5fd7df6..0000000 --- a/circuits/test/bitreversal.test.ts +++ /dev/null @@ -1,24 +0,0 @@ -import { assert } from "chai"; -import { WitnessTester } from "circomkit"; -import { circomkit } from "./common"; - -describe("bitreversal", () => { - let circuit: WitnessTester<["in"], ["out"]>; - - before(async () => { - circuit = await circomkit.WitnessTester(`bitreversal`, { - file: "aes-gcm/helper_functions", - template: "ReverseBitsArray", - params: [8], - }); - }); - - let bit_array = [1,0,0,0,0,0,0,0]; - let expected_output = [0,0,0,0,0,0,0,1].map((x) => BigInt(x)); - it("should have correct output", async () => { - const witness = await circuit.compute({ in: bit_array }, ["out"]) - - assert.deepEqual(witness.out, expected_output) - }); - -}); \ No newline at end of file diff --git a/circuits/test/ghash_gfmul.test.ts b/circuits/test/ghash_gfmul.test.ts new file mode 100644 index 0000000..1463460 --- /dev/null +++ b/circuits/test/ghash_gfmul.test.ts @@ -0,0 +1,38 @@ +import { WitnessTester } from "circomkit"; +import { bitArrayToHex, circomkit, hexToBitArray } from "./common"; +import { assert } from "chai"; + +// https://datatracker.ietf.org/doc/html/rfc8452#appendix-A +const H = hexToBitArray("25629347589242761d31f826ba4b757b"); +const X1 = "4f4f95668c83dfb6401762bb2d01a262"; +const X2 = "d1a24ddd2721d006bbe45f20d3c9f362"; +const M = hexToBitArray(X1.concat(X2)); +const EXPECT = hexToBitArray("bd9b3997046731fb96251b91f9c99d7a"); + +describe("GHASH_GFMUL", () => { + let circuit: WitnessTester<["a", "b"], ["out"]>; + + before(async () => { + circuit = await circomkit.WitnessTester(`gfmul`, { + file: "aes-gcm/ghash_gfmul", + template: "GHASH_GFMUL", + }); + }); + + // these test vectors are from rust-crypto + // to reproduce run `cargo test ghash -- --nocapture` + // let hash_key = [0xaa, 0xe0, 0x69, 0x92, 0xac, 0xbf, 0x52, 0xa3, 0xe8, 0xf4, 0xa9, 0x6e, 0xc9, 0x30, 0x0b, 0xd7]; + // let ct = [0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41, 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00]; + // let expected = [0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb]; + let lower_h = hexToBitArray("0xaae06992acbf52a3"); // little endian hex vectors + let upper_h = hexToBitArray("0xe8f4a96ec9300bd7"); + + let lower_x = hexToBitArray("0x98e7247c07f0fe41"); + let upper_x = hexToBitArray("0x1c267e4384b0f600"); + + + it("test gmul", async () => { + const input = { a: H, b: M }; + const _res = await circuit.expectPass(input, { out: EXPECT }); + }); +}); diff --git a/circuits/test/hashes/ghash.test.ts b/circuits/test/hashes/ghash.test.ts index 7782fdf..c723aa0 100644 --- a/circuits/test/hashes/ghash.test.ts +++ b/circuits/test/hashes/ghash.test.ts @@ -9,40 +9,7 @@ const X2 = "d1a24ddd2721d006bbe45f20d3c9f362"; const M = hexToBitArray(X1.concat(X2)); const EXPECT = hexToBitArray("bd9b3997046731fb96251b91f9c99d7a"); -// Thor this is the test for GMUL you asked for <3 -describe("gfmul", () => { - let circuit: WitnessTester<["a", "b"], ["out"]>; - - before(async () => { - circuit = await circomkit.WitnessTester(`gfmul`, { - file: "aes-gcm/gfmul", - template: "GMUL", - }); - }); - - // these test vectors are from rust-crypto - // to reproduce run `cargo test ghash -- --nocapture` - // let hash_key = [0xaa, 0xe0, 0x69, 0x92, 0xac, 0xbf, 0x52, 0xa3, 0xe8, 0xf4, 0xa9, 0x6e, 0xc9, 0x30, 0x0b, 0xd7]; - // let ct = [0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41, 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00]; - // let expected = [0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb]; - - // i don't know what api you were going to build so here they are broken into lower and upper 64 bit vectors - let lower_h = hexToBitArray("0xaae06992acbf52a3"); // little endian hex vectors - let upper_h = hexToBitArray("0xe8f4a96ec9300bd7"); - - let lower_x = hexToBitArray("0x98e7247c07f0fe41"); - let upper_x = hexToBitArray("0x1c267e4384b0f600"); - - - it("test gmul", async () => { - const input = { a: H, b: M }; - const _res = await circuit.expectPass(input, { out: EXPECT }); - }); -}); - - - -describe("ghash-hash", () => { +describe("GHASH_HASH", () => { let circuit: WitnessTester<["HashKey", "msg"], ["tag"]>; before(async () => { @@ -63,24 +30,29 @@ describe("ghash-hash", () => { }); }); -describe("reverse_byte_array", () => { - let circuit: WitnessTester<["in"], ["out"]>; +describe("TranslateHashkey", () => { + let circuit: WitnessTester<["inp"], ["out"]>; before(async () => { circuit = await circomkit.WitnessTester(`ghash`, { - file: "aes-gcm/helper_functions", - template: "ReverseByteArray", + file: "aes-gcm/ghash", + template: "TranslateHashkey", }); + // console.log("#constraints:", await circuit.getConstraintCount()); }); - it("test reverse_byte_array", async () => { - let bits = hexToBitArray("0102030405060708091011121314151f"); - let expect = "1f151413121110090807060504030201"; - const _res = await circuit.compute({ in: bits }, ["out"]); - const result = bitArrayToHex( - (_res.out as number[]).map((bit) => Number(bit)) - ); - // console.log("expect: ", expect, "\nresult: ", result); - assert.equal(expect, result); + // initial hashkey: [37, 98, 147, 71, 88, 146, 66, 118, 29, 49, 248, 38, 186, 75, 117, 123] + //25629347589242761D31F826BA4B757B + // reversed hashkey: [123, 117, 75, 186, 38, 248, 49, 29, 118, 66, 146, 88, 71, 147, 98, 37] + //7B754BBA26F8311D7642925847936225 + // post-mul_x hashkey: [246, 234, 150, 116, 77, 240, 99, 58, 236, 132, 36, 177, 142, 38, 197, 74] + //F6EA96744DF0633AEC8424B18E26C54A + it("test TranslateHashkey", async () => { + const inp = hexToBitArray("25629347589242761d31f826ba4b757b"); + const out = hexToBitArray("F6EA96744DF0633AEC8424B18E26C54A"); + const _res = await circuit.expectPass({ inp: inp }, { out }); }); }); + + + diff --git a/circuits/test/hashes/polyval.test.ts b/circuits/test/hashes/polyval.test.ts index 8ada108..2c8f1be 100644 --- a/circuits/test/hashes/polyval.test.ts +++ b/circuits/test/hashes/polyval.test.ts @@ -9,7 +9,7 @@ const X2 = "d1a24ddd2721d006bbe45f20d3c9f362"; const M = hexToBitArray(X1.concat(X2)); const EXPECT = "f7a3b47b846119fae5b7866cf5e5b77e"; -describe("polyval", () => { +describe("POLYVAL_HASH_1", () => { let circuit: WitnessTester<["msg", "H"], ["out"]>; before(async () => { @@ -18,7 +18,7 @@ describe("polyval", () => { template: "POLYVAL", params: [128 * 2], }); - console.log("#constraints:", await circuit.getConstraintCount()); + // console.log("#constraints:", await circuit.getConstraintCount()); }); it("should have correct number of constraints", async () => { @@ -28,12 +28,39 @@ describe("polyval", () => { it("todo name polyval", async () => { const input = { msg: M, H: H }; const _res = await circuit.compute(input, ["out"]); - // TODO(TK 2024-08-15): bug, result returns 256 bits - // take the first 32 bytes const result = bitArrayToHex( (_res.out as number[]).map((bit) => Number(bit)) ).slice(0, 32); console.log("expect: ", EXPECT, "\nresult: ", result); assert.equal(result, EXPECT); }); -}); \ No newline at end of file +}); + +describe("POLYVAL_HASH_2", () => { + let circuit: WitnessTester<["msg", "H"], ["out"]>; + + before(async () => { + circuit = await circomkit.WitnessTester(`polyval`, { + file: "aes-gcm/polyval", + template: "POLYVAL", + params: [128 * 1], + }); + // console.log("#constraints:", await circuit.getConstraintCount()); + }); + + it("should have correct number of constraints", async () => { + await circuit.expectConstraintCount(74754, true); + }); + + it("todo name polyval", async () => { + const M = hexToBitArray(X1); + const input = { msg: M, H: H }; + const _res = await circuit.compute(input, ["out"]); + const result = bitArrayToHex( + (_res.out as number[]).map((bit) => Number(bit)) + ).slice(0, 32); + console.log("expect: ", EXPECT, "\nresult: ", result); + assert.equal(result, EXPECT); + }); + +}); diff --git a/circuits/test/helper_functions.test.ts b/circuits/test/helper_functions.test.ts new file mode 100644 index 0000000..3db52aa --- /dev/null +++ b/circuits/test/helper_functions.test.ts @@ -0,0 +1,26 @@ +import { WitnessTester } from "circomkit"; +import { bitArrayToHex, circomkit, hexToBitArray } from "./common"; +import { assert } from "chai"; + +describe("reverse_byte_array", () => { + let circuit: WitnessTester<["in"], ["out"]>; + + before(async () => { + circuit = await circomkit.WitnessTester(`reverse_bytes`, { + file: "aes-gcm/helper_functions", + template: "ReverseByteArray", + }); + }); + + it("test reverse_byte_array", async () => { + let bits = hexToBitArray("0102030405060708091011121314151f"); + let expect = "1f151413121110090807060504030201"; + const _res = await circuit.compute({ in: bits }, ["out"]); + const result = bitArrayToHex( + (_res.out as number[]).map((bit) => Number(bit)) + ); + // console.log("expect: ", expect, "\nresult: ", result); + assert.equal(expect, result); + }); +}); + diff --git a/circuits/test/gfmul.test.ts b/circuits/test/polyval_gfmul.test.ts similarity index 81% rename from circuits/test/gfmul.test.ts rename to circuits/test/polyval_gfmul.test.ts index 6ccf9ea..cffb48e 100644 --- a/circuits/test/gfmul.test.ts +++ b/circuits/test/polyval_gfmul.test.ts @@ -6,17 +6,61 @@ const ZERO = hexToBitArray("0x000000000000000"); const BE_ONE = hexToBitArray("0x0000000000000001"); const MAX = hexToBitArray("0xFFFFFFFFFFFFFFFF"); -describe("BMUL64", () => { + +describe("POLYVAL GF_MUL", () => { + let circuit: WitnessTester<["a", "b"], ["out"]>; + + before(async () => { + circuit = await circomkit.WitnessTester(`POLYVAL_GFMUL`, { + file: "aes-gcm/polyval_gfmul", + template: "POLYVAL_GFMUL", + }); + }); + + it("POLYVAL_GF_MUL 0", async () => { + await circuit.expectPass({ a: [MAX, MAX], b: [ZERO, ZERO] }, { out: [ZERO, ZERO] }); + }); + + it("POLYVAL_GF_MUL 1", async () => { + await circuit.expectPass({ a: [ZERO, BE_ONE], b: [ZERO, BE_ONE] }, { out: [BE_ONE, ZERO] }); + }); + + it("POLYVAL_GF_MUL 2", async () => { + const E1 = hexToBitArray("C200000000000000"); + const E2 = hexToBitArray("0000000000000001"); + await circuit.expectPass({ a: [ZERO, BE_ONE], b: [BE_ONE, ZERO] }, { out: [E1, E2] }); + }); + + it("POLYVAL_GF_MUL 3", async () => { + const E1 = hexToBitArray("0x00000000006F2B00"); + await circuit.expectPass({ a: [ZERO, hexToBitArray("0x00000000000000F1")], b: [ZERO, hexToBitArray("0x000000000000BB00")] }, { out: [E1, ZERO] }); + }); + + it("POLYVAL_GF_MUL 4", async () => { + const E1 = hexToBitArray("0x000000000043AA16"); + const f1 = hexToBitArray("0x00000000000000F1"); + const bb = hexToBitArray("0x000000000000BB00"); + await circuit.expectPass({ a: [bb, ZERO], b: [ZERO, f1] }, { out: [ZERO, E1] }); + }); + + it("POLYVAL_GF_MUL 5", async () => { + const fives = hexToBitArray("0x5555555555555555"); + const rest = hexToBitArray("0x7A01555555555555"); + await circuit.expectPass({ a: [MAX, MAX], b: [MAX, MAX] }, { out: [fives, rest] }); + }); +}); + +describe("POLYVAL BMUL64", () => { let circuit: WitnessTester<["x", "y"], ["out"]>; before(async () => { circuit = await circomkit.WitnessTester(`BMUL64`, { - file: "aes-gcm/gfmul", + file: "aes-gcm/polyval_gfmul", template: "BMUL64", }); }); - it("bmul64 multiplies 1", async () => { + it("POLYVAL_bmul64 multiplies 1", async () => { const expected = "0000000000000001"; const _res = await circuit.compute({ x: BE_ONE, y: BE_ONE }, ["out"]); const result = bitArrayToHex( @@ -26,7 +70,7 @@ describe("BMUL64", () => { assert.equal(result, expected, "parse incorrect"); }); - it("bmul64 multiplies 0", async () => { + it("POLYVAL_bmul64 multiplies 0", async () => { const expected = "0000000000000000"; const _res = await circuit.compute({ x: ZERO, y: MAX }, ["out"]); const result = bitArrayToHex( @@ -36,7 +80,7 @@ describe("BMUL64", () => { assert.equal(result, expected, "parse incorrect"); }); - it("bmul64 multiplies large number", async () => { + it("POLYVAL_bmul64 multiplies large number", async () => { const X = hexToBitArray("0x1111111111111111"); const Y = hexToBitArray("0x1111111111111111"); const expected = "0101010101010101"; @@ -48,7 +92,7 @@ describe("BMUL64", () => { assert.equal(result, expected, "parse incorrect"); }); - it("bmul64 multiplies large number 2", async () => { + it("POLYVAL_bmul64 multiplies large number 2", async () => { const X = hexToBitArray("0x1111222211118888"); const Y = hexToBitArray("0x1111222211118888"); const expected = "0101010140404040"; @@ -60,7 +104,7 @@ describe("BMUL64", () => { assert.equal(result, expected, "parse incorrect"); }); - it("bmul64 multiplies large number 3", async () => { + it("POLYVAL_bmul64 multiplies large number 3", async () => { const X = hexToBitArray("0xCFAF222D1A198287"); const Y = hexToBitArray("0xFBFF2C2218118182"); const expected = "40468c9202c4418e"; @@ -72,46 +116,3 @@ describe("BMUL64", () => { assert.equal(result, expected, "parse incorrect"); }); }); - -describe("GF_MUL", () => { - let circuit: WitnessTester<["a", "b"], ["out"]>; - - before(async () => { - circuit = await circomkit.WitnessTester(`MUL`, { - file: "aes-gcm/gfmul", - template: "MUL", - }); - }); - - it("GF_MUL 0", async () => { - await circuit.expectPass({ a: [MAX, MAX], b: [ZERO, ZERO] }, { out: [ZERO, ZERO] }); - }); - - it("GF_MUL 1", async () => { - await circuit.expectPass({ a: [ZERO, BE_ONE], b: [ZERO, BE_ONE] }, { out: [BE_ONE, ZERO] }); - }); - - it("GF_MUL 2", async () => { - const E1 = hexToBitArray("C200000000000000"); - const E2 = hexToBitArray("0000000000000001"); - await circuit.expectPass({ a: [ZERO, BE_ONE], b: [BE_ONE, ZERO] }, { out: [E1, E2] }); - }); - - it("GF_MUL 3", async () => { - const E1 = hexToBitArray("0x00000000006F2B00"); - await circuit.expectPass({ a: [ZERO, hexToBitArray("0x00000000000000F1")], b: [ZERO, hexToBitArray("0x000000000000BB00")] }, { out: [E1, ZERO] }); - }); - - it("GF_MUL 4", async () => { - const E1 = hexToBitArray("0x000000000043AA16"); - const f1 = hexToBitArray("0x00000000000000F1"); - const bb = hexToBitArray("0x000000000000BB00"); - await circuit.expectPass({ a: [bb, ZERO], b: [ZERO, f1] }, { out: [ZERO, E1] }); - }); - - it("GF_MUL 5", async () => { - const fives = hexToBitArray("0x5555555555555555"); - const rest = hexToBitArray("0x7A01555555555555"); - await circuit.expectPass({ a: [MAX, MAX], b: [MAX, MAX] }, { out: [fives, rest] }); - }); -}); diff --git a/circuits/test/wrapping_mul.test.ts b/circuits/test/wrapping_mul.test.ts index 9f0f42a..bdedd3e 100644 --- a/circuits/test/wrapping_mul.test.ts +++ b/circuits/test/wrapping_mul.test.ts @@ -7,7 +7,7 @@ describe("WRAPPING_BE", () => { before(async () => { circuit = await circomkit.WitnessTester(`WrappingMul64`, { - file: "aes-gcm/mul", + file: "aes-gcm/wrapping_mul", template: "WrappingMul64", }); }); diff --git a/src/main.rs b/src/main.rs index 6d1cbd0..3f6c6d9 100644 --- a/src/main.rs +++ b/src/main.rs @@ -98,7 +98,7 @@ mod tests { println!("msg={}", hex::encode(message)); println!("ct={}", hex::encode(ct)); } - + #[tokio::test] async fn test_ghash() { use ghash::{ @@ -106,27 +106,35 @@ mod tests { GHash, }; use hex_literal::hex; - + const H: [u8; 16] = hex!("aae06992acbf52a3e8f4a96ec9300bd7"); const X_1: [u8; 16] = hex!("98e7247c07f0fe411c267e4384b0f600"); - + let mut ghash = GHash::new(&H.into()); ghash.update(&[X_1.into()]); let result = ghash.finalize(); - - let hash_key = [0xaa, 0xe0, 0x69, 0x92, 0xac, 0xbf, 0x52, 0xa3, 0xe8, 0xf4, 0xa9, 0x6e, 0xc9, 0x30, 0x0b, 0xd7]; - let ct = [0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41, 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00]; - let expected = [0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb]; - - // Alternative. + + let hash_key = [ + 0xaa, 0xe0, 0x69, 0x92, 0xac, 0xbf, 0x52, 0xa3, 0xe8, 0xf4, 0xa9, 0x6e, 0xc9, 0x30, + 0x0b, 0xd7, + ]; + let ct = [ + 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41, 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, + 0xf6, 0x00, + ]; + let expected = [ + 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab, 0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, + 0xf0, 0xfb, + ]; + + // Alternative. let mut ghash2 = GHash::new_with_init_block(&hash_key.into(), 0); let ga_data = GenericArray::from_slice(&ct); ghash2.update(&[*ga_data]); let result2 = ghash2.finalize(); - + println!("GHASH NEW result: {:?}", hex::encode(result.as_slice())); println!("GHASH OLD result: {:?}", hex::encode(result2.as_slice())); println!("expected: {:?}", hex::encode(expected)); - } } From 99f26bce40df4d63c0c9aaf630e21c30ad6de0db Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Wed, 18 Sep 2024 13:53:47 -0700 Subject: [PATCH 04/15] nit: fix ghash diagram --- circuits/aes-gcm/ghash.circom | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/circuits/aes-gcm/ghash.circom b/circuits/aes-gcm/ghash.circom index 829935f..cb8b21b 100644 --- a/circuits/aes-gcm/ghash.circom +++ b/circuits/aes-gcm/ghash.circom @@ -18,22 +18,21 @@ include "gfmulx.circom"; // // X1 X2 ... XM // │ │ │ -// ▼ ▼ ▼ -// ┌────────────────┐ ┌──────────┐ ┌──────────┐ -// │ multiply by H │ ┌─────▶│ XOR │ ┌─────▶│ XOR │ -// └────────┬───────┘ | └────┬─────┘ | └────┬─────┘ -// │ │ │ | | -// │ │ ▼ | ▼ -// │ │ ┌────────────────┐ | ┌────────────────┐ -// │ │ │ multiply by H │ | │ multiply by H │ -// │ │ └───────┬────────┘ | └───────┬────────┘ -// │ │ │ | | -// ▼ │ ▼ | ▼ -// ┌─────────┐ │ ┌─────────┐ | ┌─────────┐ +// │ ▼ ▼ +// │ ┌──────────┐ ┌──────────┐ +// │ ┌─────▶│ XOR │ ┌─────▶│ XOR │ +// │ │ └────┬─────┘ │ └────┬─────┘ +// │ │ │ │ | +// ▼ │ ▼ │ ▼ +// ┌────────────────┐ │ ┌────────────────┐ │ ┌────────────────┐ +// │ multiply by H │ │ │ multiply by H │ │ │ multiply by H │ +// └────────┬───────┘ │ └───────┬────────┘ │ └───────┬────────┘ +// │ │ │ │ | +// ▼ │ ▼ │ ▼ +// ┌─────────┐ │ ┌─────────┐ │ ┌─────────┐ // │ TAG1 │ ─────┘ │ TAG2 │ ──────┘ │ TAGM │ // └─────────┘ └─────────┘ └─────────┘ // - template GHASH(NUM_BLOCKS) { signal input HashKey[4][4]; // Hash subkey (128 bits) signal input msg[NUM_BLOCKS][4][4]; // Input blocks (each 128 bits) From 9a3b18ca3db30f63837b7ec2bb590493d54bd29e Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Wed, 18 Sep 2024 14:39:38 -0700 Subject: [PATCH 05/15] setup --- circuits/aes-gcm/polyval.circom | 20 ++++++++++++++------ circuits/test/hashes/polyval.test.ts | 17 ++++++++--------- 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/circuits/aes-gcm/polyval.circom b/circuits/aes-gcm/polyval.circom index 50d33c4..79b040f 100644 --- a/circuits/aes-gcm/polyval.circom +++ b/circuits/aes-gcm/polyval.circom @@ -1,11 +1,19 @@ -template POLYVAL(n_msg_bits) -{ +pragma circom 2.1.9; + +include "polyval_gfmul.circom"; + +// Implement POLYVAL for testing purposes +template POLYVAL(n_msg_bits) { signal input msg[n_msg_bits]; signal input H[128]; - // signal input T[2][64]; // TODO signal output out[128]; - for (var i = 0; i < 128; i++) { - out[i] <== 1; - } + component POLYVAL_GFMUL ; + signal tags[n_msg_bits][128]; + signal xors[n_msg_bits][128]; + + + // for (var i=0; i<128; i++){ xors[0][i] <== 0; } + + for (var i=0; i<128; i++){ out[i] <== 0; } } diff --git a/circuits/test/hashes/polyval.test.ts b/circuits/test/hashes/polyval.test.ts index 2c8f1be..066888a 100644 --- a/circuits/test/hashes/polyval.test.ts +++ b/circuits/test/hashes/polyval.test.ts @@ -21,11 +21,11 @@ describe("POLYVAL_HASH_1", () => { // console.log("#constraints:", await circuit.getConstraintCount()); }); - it("should have correct number of constraints", async () => { - await circuit.expectConstraintCount(74754, true); - }); + // it("should have correct number of constraints", async () => { + // await circuit.expectConstraintCount(74754, true); + // }); - it("todo name polyval", async () => { + it("POLYVAL 1", async () => { const input = { msg: M, H: H }; const _res = await circuit.compute(input, ["out"]); const result = bitArrayToHex( @@ -48,11 +48,11 @@ describe("POLYVAL_HASH_2", () => { // console.log("#constraints:", await circuit.getConstraintCount()); }); - it("should have correct number of constraints", async () => { - await circuit.expectConstraintCount(74754, true); - }); + // it("should have correct number of constraints", async () => { + // await circuit.expectConstraintCount(74754, true); + // }); - it("todo name polyval", async () => { + it("POLYVAL 2", async () => { const M = hexToBitArray(X1); const input = { msg: M, H: H }; const _res = await circuit.compute(input, ["out"]); @@ -62,5 +62,4 @@ describe("POLYVAL_HASH_2", () => { console.log("expect: ", EXPECT, "\nresult: ", result); assert.equal(result, EXPECT); }); - }); From 80e049d872f2e878fcd27421dd391d379d023b1e Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Wed, 18 Sep 2024 15:31:36 -0700 Subject: [PATCH 06/15] polyval mul by h implemented --- circuits/aes-gcm/polyval.circom | 30 +++++++++++++++++++++------- circuits/test/hashes/polyval.test.ts | 8 ++++---- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/circuits/aes-gcm/polyval.circom b/circuits/aes-gcm/polyval.circom index 79b040f..a227bf8 100644 --- a/circuits/aes-gcm/polyval.circom +++ b/circuits/aes-gcm/polyval.circom @@ -3,17 +3,33 @@ pragma circom 2.1.9; include "polyval_gfmul.circom"; // Implement POLYVAL for testing purposes -template POLYVAL(n_msg_bits) { - signal input msg[n_msg_bits]; +template POLYVAL(BLOCKS) { + signal input msg[BLOCKS][128]; signal input H[128]; signal output out[128]; - component POLYVAL_GFMUL ; - signal tags[n_msg_bits][128]; - signal xors[n_msg_bits][128]; - + signal tags[BLOCKS][128]; + signal b; + // signal xors[BLOCKS][128]; + component POLYVAL_GFMUL = POLYVAL_GFMUL(); + for (var i=0; i<2; i++){ + for (var j=0; j<64; j++){ + POLYVAL_GFMUL.a[i][j] <== msg[0][i*64+j]; + POLYVAL_GFMUL.b[i][j] <== H[i*64+j]; + } + } + + // for (var i=0; i<2; i++){ + // for (var j=0; j<64; j++){ + // log(POLYVAL_GFMUL.b[i][j]); + // }} // for (var i=0; i<128; i++){ xors[0][i] <== 0; } - for (var i=0; i<128; i++){ out[i] <== 0; } + // for (var i=0; i<128; i++){ out[i] <== 0; } + for (var i=0; i<2; i++){ + for (var j=0; j<64; j++){ + out[i*64 + j] <== POLYVAL_GFMUL.out[i][j]; + } + } } diff --git a/circuits/test/hashes/polyval.test.ts b/circuits/test/hashes/polyval.test.ts index 066888a..cb1eec7 100644 --- a/circuits/test/hashes/polyval.test.ts +++ b/circuits/test/hashes/polyval.test.ts @@ -16,7 +16,7 @@ describe("POLYVAL_HASH_1", () => { circuit = await circomkit.WitnessTester(`polyval`, { file: "aes-gcm/polyval", template: "POLYVAL", - params: [128 * 2], + params: [2], }); // console.log("#constraints:", await circuit.getConstraintCount()); }); @@ -43,7 +43,7 @@ describe("POLYVAL_HASH_2", () => { circuit = await circomkit.WitnessTester(`polyval`, { file: "aes-gcm/polyval", template: "POLYVAL", - params: [128 * 1], + params: [1], }); // console.log("#constraints:", await circuit.getConstraintCount()); }); @@ -57,8 +57,8 @@ describe("POLYVAL_HASH_2", () => { const input = { msg: M, H: H }; const _res = await circuit.compute(input, ["out"]); const result = bitArrayToHex( - (_res.out as number[]).map((bit) => Number(bit)) - ).slice(0, 32); + (_res.out as number[][])[0].map((bit) => Number(bit)) + ); console.log("expect: ", EXPECT, "\nresult: ", result); assert.equal(result, EXPECT); }); From 0734562531458b21200083c9f1a9324144392d26 Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Wed, 18 Sep 2024 19:13:08 -0700 Subject: [PATCH 07/15] note: obtained test vectors for polyval, tbc --- circuits/aes-gcm/polyval.circom | 4 ++-- circuits/test/hashes/polyval.test.ts | 27 +++++++++++++++++---------- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/circuits/aes-gcm/polyval.circom b/circuits/aes-gcm/polyval.circom index a227bf8..549c6e3 100644 --- a/circuits/aes-gcm/polyval.circom +++ b/circuits/aes-gcm/polyval.circom @@ -14,8 +14,8 @@ template POLYVAL(BLOCKS) { component POLYVAL_GFMUL = POLYVAL_GFMUL(); for (var i=0; i<2; i++){ for (var j=0; j<64; j++){ - POLYVAL_GFMUL.a[i][j] <== msg[0][i*64+j]; - POLYVAL_GFMUL.b[i][j] <== H[i*64+j]; + POLYVAL_GFMUL.a[1-i][j] <== msg[0][i*64+j]; + POLYVAL_GFMUL.b[1-i][j] <== H[i*64+j]; } } diff --git a/circuits/test/hashes/polyval.test.ts b/circuits/test/hashes/polyval.test.ts index cb1eec7..4ed307b 100644 --- a/circuits/test/hashes/polyval.test.ts +++ b/circuits/test/hashes/polyval.test.ts @@ -8,6 +8,8 @@ const X1 = "4f4f95668c83dfb6401762bb2d01a262"; const X2 = "d1a24ddd2721d006bbe45f20d3c9f362"; const M = hexToBitArray(X1.concat(X2)); const EXPECT = "f7a3b47b846119fae5b7866cf5e5b77e"; +// generated with rust-crypto +const EXPECT_2 = "cedac64537ff50989c16011551086d77"; describe("POLYVAL_HASH_1", () => { let circuit: WitnessTester<["msg", "H"], ["out"]>; @@ -21,16 +23,12 @@ describe("POLYVAL_HASH_1", () => { // console.log("#constraints:", await circuit.getConstraintCount()); }); - // it("should have correct number of constraints", async () => { - // await circuit.expectConstraintCount(74754, true); - // }); - it("POLYVAL 1", async () => { const input = { msg: M, H: H }; const _res = await circuit.compute(input, ["out"]); const result = bitArrayToHex( - (_res.out as number[]).map((bit) => Number(bit)) - ).slice(0, 32); + (_res.out as number[][])[0].map((bit) => Number(bit)) + ) console.log("expect: ", EXPECT, "\nresult: ", result); assert.equal(result, EXPECT); }); @@ -48,10 +46,6 @@ describe("POLYVAL_HASH_2", () => { // console.log("#constraints:", await circuit.getConstraintCount()); }); - // it("should have correct number of constraints", async () => { - // await circuit.expectConstraintCount(74754, true); - // }); - it("POLYVAL 2", async () => { const M = hexToBitArray(X1); const input = { msg: M, H: H }; @@ -63,3 +57,16 @@ describe("POLYVAL_HASH_2", () => { assert.equal(result, EXPECT); }); }); + +// ---- polyval_test_vector_2 stdout ---- +// proc_block: Array([4F, 4F, 95, 66, 8C, 83, DF, B6, 40, 17, 62, BB, 2D, 01, A2, 62]) +// add: self.0: 0000000000000000, self.1: 0000000000000000 +// add: rhs.0: B6DF838C66954F4F, rhs.1: 62A2012DBB621740 +// mul: self.0: B6DF838C66954F4F, self.1: 62A2012DBB621740 +// mul: rhs.0: 7642925847936225, rhs.1: 7B754BBA26F8311D +// __v2: 9850FF3745C6DACE, __v3: 776D08511501169C +// finalize block: Array([0000000000000206, 0000000000000218, 0000000000000198, 0000000000000069, 0000000000000055, 0000000000000255, 0000000000000080, 0000000000000152, 0000000000000156, 0000000000000022, 0000000000000001, 0000000000000021, 0000000000000081, 0000000000000008, 0000000000000109, 0000000000000119]) +// [CE, DA, C6, 45, 37, FF, 50, 98, 9C, 16, 01, 15, 51, 08, 6D, 77] +// thread 'polyval_test_vector_2' panicked at polyval/tests/lib.rs:46:5: +// explicit panic +// note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace From 328c65440615e869b443184e0d00aeaad3ecb00d Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Thu, 19 Sep 2024 12:59:15 -0700 Subject: [PATCH 08/15] debugging: wrote parseBEBitsToBytes for logging --- circuits/aes-gcm/helper_functions.circom | 34 ++++++++++++++++++++++++ circuits/aes-gcm/polyval.circom | 13 ++++++++- circuits/test/hashes/polyval.test.ts | 2 ++ 3 files changed, 48 insertions(+), 1 deletion(-) diff --git a/circuits/aes-gcm/helper_functions.circom b/circuits/aes-gcm/helper_functions.circom index 6524fe8..5ff950d 100644 --- a/circuits/aes-gcm/helper_functions.circom +++ b/circuits/aes-gcm/helper_functions.circom @@ -4,6 +4,7 @@ include "circomlib/circuits/bitify.circom"; include "circomlib/circuits/gates.circom"; include "circomlib/circuits/comparators.circom"; +// parse LE bits to int template ParseLEBytes64() { signal input in[64]; signal output out; @@ -22,6 +23,39 @@ template ParseLEBytes64() { out <-- temp; } +// parse BE bits to BE bytes +// +// Sample calling code for logging: +// component Parser = ParseBEBitsToBytes(16); +// // load parser with H and log output +// for (var i=0; i<128; i++){ +// Parser.in[i] <== H[i]; +// } +// for (var i=0; i<2; i++){ +// log("h[", i, "]=", +// Parser.out[i*8+0], Parser.out[i*8+1], Parser.out[i*8+2], Parser.out[i*8+3], +// Parser.out[i*8+4], Parser.out[i*8+5], Parser.out[i*8+6], Parser.out[i*8+7] ); +// } +template ParseBEBitsToBytes(N_BYTES_OUTPUT) { + var N_BITS = N_BYTES_OUTPUT * 8; + signal input in[N_BITS]; + signal output out[N_BYTES_OUTPUT]; + // var temp[8] = [0,0,0,0,0,0,0,0]; + + // Iterate through the input bits + var temp[N_BYTES_OUTPUT]; + for (var i = 0; i < N_BYTES_OUTPUT; i++) { + temp[i] = 0; + for (var j = 0; j < 8; j++) { + temp[i] += 2**j * in[i*8 + j]; + } + } + + for (var i=0; i< N_BYTES_OUTPUT; i++) { + out[i] <-- temp[i]; + } +} + // parse 64-bits to integer value template ParseBEBytes64() { signal input in[64]; diff --git a/circuits/aes-gcm/polyval.circom b/circuits/aes-gcm/polyval.circom index 549c6e3..8e9089c 100644 --- a/circuits/aes-gcm/polyval.circom +++ b/circuits/aes-gcm/polyval.circom @@ -8,8 +8,19 @@ template POLYVAL(BLOCKS) { signal input H[128]; signal output out[128]; + signal H_bytes[16]; + component Parser = ParseBEBitsToBytes(16); + // load parser with H and log output + for (var i=0; i<128; i++){ + Parser.in[i] <== H[i]; + } + for (var i=0; i<2; i++){ + log("h[", i, "]=", + Parser.out[i*8+0], Parser.out[i*8+1], Parser.out[i*8+2], Parser.out[i*8+3], + Parser.out[i*8+4], Parser.out[i*8+5], Parser.out[i*8+6], Parser.out[i*8+7] ); + } + signal tags[BLOCKS][128]; - signal b; // signal xors[BLOCKS][128]; component POLYVAL_GFMUL = POLYVAL_GFMUL(); for (var i=0; i<2; i++){ diff --git a/circuits/test/hashes/polyval.test.ts b/circuits/test/hashes/polyval.test.ts index 4ed307b..7a7e26a 100644 --- a/circuits/test/hashes/polyval.test.ts +++ b/circuits/test/hashes/polyval.test.ts @@ -49,6 +49,8 @@ describe("POLYVAL_HASH_2", () => { it("POLYVAL 2", async () => { const M = hexToBitArray(X1); const input = { msg: M, H: H }; + // mul: self.0: B6DF838C66954F4F, self.1: 62A2012DBB621740 + // mul: rhs.0: 7642925847936225, rhs.1: 7B754BBA26F8311D const _res = await circuit.compute(input, ["out"]); const result = bitArrayToHex( (_res.out as number[][])[0].map((bit) => Number(bit)) From bdfbfbe6e4353df3a641c7975b536457ffd1fcbc Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Thu, 19 Sep 2024 13:09:47 -0700 Subject: [PATCH 09/15] apply logging to polyval, observe outputs --- circuits/aes-gcm/helper_functions.circom | 4 ++-- circuits/aes-gcm/polyval.circom | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/circuits/aes-gcm/helper_functions.circom b/circuits/aes-gcm/helper_functions.circom index 5ff950d..a894f20 100644 --- a/circuits/aes-gcm/helper_functions.circom +++ b/circuits/aes-gcm/helper_functions.circom @@ -46,8 +46,8 @@ template ParseBEBitsToBytes(N_BYTES_OUTPUT) { var temp[N_BYTES_OUTPUT]; for (var i = 0; i < N_BYTES_OUTPUT; i++) { temp[i] = 0; - for (var j = 0; j < 8; j++) { - temp[i] += 2**j * in[i*8 + j]; + for (var j = 7; j >= 0; j--) { + temp[i] += 2**j * in[i*8 + 7 - j]; } } diff --git a/circuits/aes-gcm/polyval.circom b/circuits/aes-gcm/polyval.circom index 8e9089c..0025d1b 100644 --- a/circuits/aes-gcm/polyval.circom +++ b/circuits/aes-gcm/polyval.circom @@ -29,7 +29,7 @@ template POLYVAL(BLOCKS) { POLYVAL_GFMUL.b[1-i][j] <== H[i*64+j]; } } - + // for (var i=0; i<2; i++){ // for (var j=0; j<64; j++){ // log(POLYVAL_GFMUL.b[i][j]); From 1ca08c9436e108d216026feec7081c7cf75c0799 Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Thu, 19 Sep 2024 13:55:47 -0700 Subject: [PATCH 10/15] wrote a good logger --- circuits/aes-gcm/helper_functions.circom | 62 ++++++++++++++++-------- circuits/aes-gcm/polyval.circom | 42 ++++++++-------- 2 files changed, 64 insertions(+), 40 deletions(-) diff --git a/circuits/aes-gcm/helper_functions.circom b/circuits/aes-gcm/helper_functions.circom index a894f20..f158c4a 100644 --- a/circuits/aes-gcm/helper_functions.circom +++ b/circuits/aes-gcm/helper_functions.circom @@ -23,35 +23,39 @@ template ParseLEBytes64() { out <-- temp; } -// parse BE bits to BE bytes -// -// Sample calling code for logging: -// component Parser = ParseBEBitsToBytes(16); -// // load parser with H and log output -// for (var i=0; i<128; i++){ -// Parser.in[i] <== H[i]; -// } -// for (var i=0; i<2; i++){ -// log("h[", i, "]=", -// Parser.out[i*8+0], Parser.out[i*8+1], Parser.out[i*8+2], Parser.out[i*8+3], -// Parser.out[i*8+4], Parser.out[i*8+5], Parser.out[i*8+6], Parser.out[i*8+7] ); -// } -template ParseBEBitsToBytes(N_BYTES_OUTPUT) { - var N_BITS = N_BYTES_OUTPUT * 8; +// parse BE bits as bytes and log them +template ParseAndLogBitsAsBytes(N_BYTES){ + var N_BITS = N_BYTES * 8; signal input in[N_BITS]; - signal output out[N_BYTES_OUTPUT]; + component Parser = ParseBEBitsToBytes(N_BYTES); + for (var i=0; i> 1) ^ (v0 >> 2) ^ (v0 >> 7); // _v1 = v1 ^ (v0 << 63) ^ (v0 << 62) ^ (v0 << 57); signal _v2[64]; @@ -184,6 +202,11 @@ template POLYVAL_GFMUL() { XorMultiples_L[1].inputs <== [_v2, LS_v[3].out, LS_v[4].out, LS_v[5].out]; __v2 <== XorMultiples_L[1].out; + // component Loggers__v[2]; + // for (var i=0; i<2; i++) { Loggers__v[i] = ParseAndLogBitsAsBytes(8);} + // log("__v2"); Loggers__v[0].in <== __v2; + // log("__v3"); Loggers__v[1].in <== __v3; + out <== [__v2, __v3]; } diff --git a/circuits/test/hashes/polyval.test.ts b/circuits/test/hashes/polyval.test.ts index 7a7e26a..66661db 100644 --- a/circuits/test/hashes/polyval.test.ts +++ b/circuits/test/hashes/polyval.test.ts @@ -49,26 +49,12 @@ describe("POLYVAL_HASH_2", () => { it("POLYVAL 2", async () => { const M = hexToBitArray(X1); const input = { msg: M, H: H }; - // mul: self.0: B6DF838C66954F4F, self.1: 62A2012DBB621740 - // mul: rhs.0: 7642925847936225, rhs.1: 7B754BBA26F8311D const _res = await circuit.compute(input, ["out"]); + console.log(_res); const result = bitArrayToHex( - (_res.out as number[][])[0].map((bit) => Number(bit)) + (_res.out as number[][]).map((bit) => Number(bit)) ); console.log("expect: ", EXPECT, "\nresult: ", result); assert.equal(result, EXPECT); }); }); - -// ---- polyval_test_vector_2 stdout ---- -// proc_block: Array([4F, 4F, 95, 66, 8C, 83, DF, B6, 40, 17, 62, BB, 2D, 01, A2, 62]) -// add: self.0: 0000000000000000, self.1: 0000000000000000 -// add: rhs.0: B6DF838C66954F4F, rhs.1: 62A2012DBB621740 -// mul: self.0: B6DF838C66954F4F, self.1: 62A2012DBB621740 -// mul: rhs.0: 7642925847936225, rhs.1: 7B754BBA26F8311D -// __v2: 9850FF3745C6DACE, __v3: 776D08511501169C -// finalize block: Array([0000000000000206, 0000000000000218, 0000000000000198, 0000000000000069, 0000000000000055, 0000000000000255, 0000000000000080, 0000000000000152, 0000000000000156, 0000000000000022, 0000000000000001, 0000000000000021, 0000000000000081, 0000000000000008, 0000000000000109, 0000000000000119]) -// [CE, DA, C6, 45, 37, FF, 50, 98, 9C, 16, 01, 15, 51, 08, 6D, 77] -// thread 'polyval_test_vector_2' panicked at polyval/tests/lib.rs:46:5: -// explicit panic -// note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace From 6ea05125e3596a13e5b2bc51d954dbd7a7fa6dd0 Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Thu, 19 Sep 2024 15:33:36 -0700 Subject: [PATCH 13/15] passing polyval 2 test --- circuits/aes-gcm/polyval.circom | 16 +++++++---- circuits/aes-gcm/polyval_gfmul.circom | 40 +++++++++++++++------------ circuits/test/hashes/polyval.test.ts | 8 +++--- 3 files changed, 38 insertions(+), 26 deletions(-) diff --git a/circuits/aes-gcm/polyval.circom b/circuits/aes-gcm/polyval.circom index da0c45e..1749dbe 100644 --- a/circuits/aes-gcm/polyval.circom +++ b/circuits/aes-gcm/polyval.circom @@ -11,10 +11,10 @@ template POLYVAL(BLOCKS) { // reverse msg and H, store in msg_ and H_ signal msg_[128]; signal H_[128]; - component ReverseBytes[2]; - ReverseBytes[0]=ReverseByteArrayHalves128(); ReverseBytes[1]=ReverseByteArrayHalves128(); - ReverseBytes[0].in <== msg[0]; msg_ <== ReverseBytes[0].out; - ReverseBytes[1].in <== H; H_ <== ReverseBytes[1].out; + component ReverseByteHalves[3]; + for (var i=0; i<3; i++){ ReverseByteHalves[i] = ReverseByteArrayHalves128();} + ReverseByteHalves[0].in <-- msg[0]; msg_ <-- ReverseByteHalves[0].out; + ReverseByteHalves[1].in <-- H; H_ <-- ReverseByteHalves[1].out; // signal tags[BLOCKS][128]; // signal xors[BLOCKS][128]; @@ -29,11 +29,17 @@ template POLYVAL(BLOCKS) { // for (var i=0; i<128; i++){ xors[0][i] <== 0; } // for (var i=0; i<128; i++){ out[i] <== 0; } + signal _out[128]; for (var i=0; i<2; i++){ for (var j=0; j<64; j++){ - out[i*64 + j] <== POLYVAL_GFMUL.out[i][j]; + // out[i*64 + j] <== POLYVAL_GFMUL.out[i][63-j]; + _out[i*64 + j] <== POLYVAL_GFMUL.out[i][j]; } } + + ReverseByteHalves[2].in <== _out; + out <-- ReverseByteHalves[2].out; + component Logger3 = ParseAndLogBitsAsBytes(16); log("out"); Logger3.in <== out; diff --git a/circuits/aes-gcm/polyval_gfmul.circom b/circuits/aes-gcm/polyval_gfmul.circom index 7705fdd..1b0b662 100644 --- a/circuits/aes-gcm/polyval_gfmul.circom +++ b/circuits/aes-gcm/polyval_gfmul.circom @@ -96,22 +96,24 @@ template POLYVAL_GFMUL() { // log("z2"); Loggers_z[2].in <== z[2]; // _z2 = z0 ^ z1 ^ z2; - // _z2h = z0h ^ z1h ^ z2h; - signal _z2[64]; - signal _zh[3][64]; + signal _z[3][64]; component XorMultiples[2]; XorMultiples[0] = XorMultiple(3, 64); XorMultiples[0].inputs <== z; - _z2 <== XorMultiples[0].out; + _z[0] <-- z[0]; + _z[1] <-- z[1]; + _z[2] <== XorMultiples[0].out; + // _z2h = z0h ^ z1h ^ z2h; + signal _zh[3][64]; XorMultiples[1] = XorMultiple(3, 64); XorMultiples[1].inputs <== zh; + _zh[0] <-- zh[0]; + _zh[1] <-- zh[1]; _zh[2] <== XorMultiples[1].out; - _zh[1] <== zh[1]; - _zh[0] <== zh[0]; - // __z0h = rev64(z0h) >> 1; - // __z1h = rev64(z1h) >> 1; + // __z0h = rev64(_z0h) >> 1; + // __z1h = rev64(_z1h) >> 1; // __z2h = rev64(_z2h) >> 1; signal __zh[3][64]; component Revs_zh[3]; @@ -119,32 +121,32 @@ template POLYVAL_GFMUL() { for (var i = 0; i < 3; i++) { Revs_zh[i] = REV64(); RightShifts_zh[i] = BitwiseRightShift(64, 1); - Revs_zh[i].in <== zh[i]; + Revs_zh[i].in <== _zh[i]; RightShifts_zh[i].in <== Revs_zh[i].out; __zh[i] <== RightShifts_zh[i].out; } - // let v0 = z0; - // let mut v1 = z0h ^ z2; - // let mut v2 = z1 ^ z2h; + // let v0 = _z0; + // let mut v1 = z0h ^ _z2; + // let mut v2 = _z1 ^ z2h; // let mut v3 = z1h; signal v[4][64]; component Xors_v[2]; - v[0] <== z[0]; + v[0] <== _z[0]; Xors_v[0] = BitwiseXor(64); Xors_v[0].a <== __zh[0]; - Xors_v[0].b <== _z2; + Xors_v[0].b <== _z[2]; v[1] <== Xors_v[0].out; Xors_v[1] = BitwiseXor(64); - Xors_v[1].a <== z[1]; + Xors_v[1].a <== _z[1]; Xors_v[1].b <== __zh[2]; v[2] <== Xors_v[1].out; v[3] <== __zh[1]; // component Loggers_v[4]; // for (var i=0; i<4; i++) { Loggers_v[i] = ParseAndLogBitsAsBytes(8);} - // log("v0"); Loggers_v[0].in <== v[0]; // log("v1"); Loggers_v[1].in <== v[1]; - // log("v2"); Loggers_v[2].in <== v[2]; // log("v3"); Loggers_v[3].in <== v[3]; + // log("v0"); Loggers_v[0].in <== v[0]; log("v1"); Loggers_v[1].in <== v[1]; + // log("v2"); Loggers_v[2].in <== v[2]; log("v3"); Loggers_v[3].in <== v[3]; // _v2 = v2 ^ v0 ^ (v0 >> 1) ^ (v0 >> 2) ^ (v0 >> 7); // _v1 = v1 ^ (v0 << 63) ^ (v0 << 62) ^ (v0 << 57); @@ -179,6 +181,10 @@ template POLYVAL_GFMUL() { XorMultiples_L[0].inputs <== [v[1], LS_v[0].out, LS_v[1].out, LS_v[2].out]; _v1 <== XorMultiples_L[0].out; + // component Loggers_v2[4]; + // for (var i=0; i<2; i++) { Loggers_v2[i] = ParseAndLogBitsAsBytes(8);} + // log("_v1"); Loggers_v2[0].in <== _v1; log("_v2"); Loggers_v2[1].in <== _v2; + // __v3 = v3 ^ _v1 ^ (_v1 >> 1) ^ (_v1 >> 2) ^ (_v1 >> 7); // __v2 = _v2 ^ (_v1 << 63) ^ (_v1 << 62) ^ (_v1 << 57); signal __v3[64]; diff --git a/circuits/test/hashes/polyval.test.ts b/circuits/test/hashes/polyval.test.ts index 66661db..a6ea8f9 100644 --- a/circuits/test/hashes/polyval.test.ts +++ b/circuits/test/hashes/polyval.test.ts @@ -50,11 +50,11 @@ describe("POLYVAL_HASH_2", () => { const M = hexToBitArray(X1); const input = { msg: M, H: H }; const _res = await circuit.compute(input, ["out"]); - console.log(_res); + // console.log(bitArrayToHex((_res.out as number[][])[0])); const result = bitArrayToHex( - (_res.out as number[][]).map((bit) => Number(bit)) + (_res.out as number[][])[0].map((bit) => Number(bit)) ); - console.log("expect: ", EXPECT, "\nresult: ", result); - assert.equal(result, EXPECT); + console.log("expect: ", EXPECT_2, "\nresult: ", result); + assert.equal(result, EXPECT_2); }); }); From 139251ae499199ce5327917c97fe929c853e30af Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Thu, 19 Sep 2024 16:19:43 -0700 Subject: [PATCH 14/15] polyval tests passing --- circuits/aes-gcm/polyval.circom | 59 +++++++++++++++++---------------- circuits/test/common/index.ts | 4 +-- 2 files changed, 33 insertions(+), 30 deletions(-) diff --git a/circuits/aes-gcm/polyval.circom b/circuits/aes-gcm/polyval.circom index 1749dbe..83a65a8 100644 --- a/circuits/aes-gcm/polyval.circom +++ b/circuits/aes-gcm/polyval.circom @@ -2,43 +2,46 @@ pragma circom 2.1.9; include "polyval_gfmul.circom"; -// Implement POLYVAL for testing purposes template POLYVAL(BLOCKS) { signal input msg[BLOCKS][128]; signal input H[128]; signal output out[128]; - // reverse msg and H, store in msg_ and H_ - signal msg_[128]; + // LE adjustments: reverse msg and H, store in msg_ and H_ signal H_[128]; - component ReverseByteHalves[3]; - for (var i=0; i<3; i++){ ReverseByteHalves[i] = ReverseByteArrayHalves128();} - ReverseByteHalves[0].in <-- msg[0]; msg_ <-- ReverseByteHalves[0].out; - ReverseByteHalves[1].in <-- H; H_ <-- ReverseByteHalves[1].out; - - // signal tags[BLOCKS][128]; - // signal xors[BLOCKS][128]; - component POLYVAL_GFMUL = POLYVAL_GFMUL(); - for (var i=0; i<2; i++){ - for (var j=0; j<64; j++){ - POLYVAL_GFMUL.a[i][j] <== msg_[i*64+j]; - // POLYVAL_GFMUL.a[1-i][j] <== msg_[0][i*64+j]; - POLYVAL_GFMUL.b[i][j] <== H_[i*64+j]; - } - } + signal msg_[BLOCKS][128]; + component ReverseByteHalves[BLOCKS+2]; + for (var i=0; i { - let n = BigInt(byte); - return n; + let n = BigInt(byte); + return n; }); } From eb0ff72f433ecfe2fc4967791edf9dd5be99297b Mon Sep 17 00:00:00 2001 From: Thor Kampefner Date: Thu, 19 Sep 2024 16:20:20 -0700 Subject: [PATCH 15/15] rm log --- circuits/aes-gcm/polyval.circom | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/circuits/aes-gcm/polyval.circom b/circuits/aes-gcm/polyval.circom index 83a65a8..30c3001 100644 --- a/circuits/aes-gcm/polyval.circom +++ b/circuits/aes-gcm/polyval.circom @@ -43,7 +43,7 @@ template POLYVAL(BLOCKS) { ReverseByteHalves[1].in <== _out; out <-- ReverseByteHalves[1].out; - component Logger3 = ParseAndLogBitsAsBytes(16); - log("out"); - Logger3.in <== out; + // component Logger3 = ParseAndLogBitsAsBytes(16); + // log("out"); + // Logger3.in <== out; }