From b3e7a6369e03994b5b1be2055b7208ccf7162605 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 21 Feb 2023 12:28:19 +0100 Subject: [PATCH 01/11] remove pragma macro from nonStrictUnpack256 --- zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok | 1 - 1 file changed, 1 deletion(-) diff --git a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok index c0f0b81c7..639450da1 100644 --- a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok @@ -1,4 +1,3 @@ -#pragma curve bn128 import "./unpack_unchecked"; From 98e91f915e58bc39cba2610b9a1e785caeea3bc5 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 21 Feb 2023 12:47:53 +0100 Subject: [PATCH 02/11] jubjub proofOfOwnership --- .../stdlib/ecc/jubjub/proofOfOwnership.zok | 24 ++++++++++++++++ .../tests/ecc/jubjub/proofOfOwnership.json | 16 +++++++++++ .../tests/ecc/jubjub/proofOfOwnership.zok | 28 +++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.json create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok new file mode 100644 index 000000000..2ddf218a8 --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok @@ -0,0 +1,24 @@ +import "../babyjubjub/compress" as compress; +from "./params" import EDWARDS_A, EDWARDS_D, G; +from "ecc/edwards" import scalarMul; + +/// Verifies match of a given public/private keypair. +/// +/// Checks if the following equation holds for the provided keypair: +/// pk = sk*G +/// where G is the chosen base point of the subgroup +/// and * denotes scalar multiplication in the subgroup +/// +/// Arguments: +/// pk: Curve point (public key) +/// sk: Private key +/// +/// Returns true for pk/sk being a valid keypair, false otherwise. +def main(field[2] pk, field[2] sk) -> bool { + // jubjub sk may not fit in bool[254], that why we use compress rather than nonStrictUnpack256 + bool[256] sk_bits = compress(sk); + field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); + assert(res[1] == pk[1]); + assert(res[0] == pk[0]); + return (res[0] == pk[0] && res[1] == pk[1]); +} \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.json b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.json new file mode 100644 index 000000000..f702e1da9 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.json @@ -0,0 +1,16 @@ +{ + "entry_point": "./tests/tests/ecc/jubjub/proofOfOwnership.zok", + "curves": ["Bls12_381"], + "tests": [ + { + "input": { + "values": [] + }, + "output": { + "Ok": { + "value": [] + } + } + } + ] +} diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok new file mode 100644 index 000000000..265a6e2da --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok @@ -0,0 +1,28 @@ +import "ecc/jubjub/proofOfOwnership" as proofOfOwnership; +from "ecc/edwards" import scalarMul; + +// Code to create test cases: +// https://github.com/Zokrates/pycrypto +def testOwnershipTrue() -> bool { + field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; + field[2] sk = [0, 24537266074035586913841246471742714563414767347802800698790739697702568093815]; + + bool out = proofOfOwnership(pk, sk); + log("x is {}", out); + assert(out); + return true; +} + +// def testOwnershipFalse() -> bool { +// field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; +// field sk = 10373199597469011642833447973814301035791960523127709637201278600637657954762; +// bool out = proofOfOwnership(pk, sk); + +// assert(!out); +// return true; +// } + +def main() { + assert(testOwnershipTrue()); + // assert(testOwnershipFalse()); +} \ No newline at end of file From ded2611731f4a6bb9d90ac705ffcea4b63d2730e Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 21 Feb 2023 13:46:47 +0100 Subject: [PATCH 03/11] jubjub: proofOfOwnership --- .../stdlib/ecc/jubjub/proofOfOwnership.zok | 2 -- .../tests/ecc/jubjub/proofOfOwnership.zok | 19 ++++++++++--------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok index 2ddf218a8..d584fb290 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok @@ -18,7 +18,5 @@ def main(field[2] pk, field[2] sk) -> bool { // jubjub sk may not fit in bool[254], that why we use compress rather than nonStrictUnpack256 bool[256] sk_bits = compress(sk); field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); - assert(res[1] == pk[1]); - assert(res[0] == pk[0]); return (res[0] == pk[0] && res[1] == pk[1]); } \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok index 265a6e2da..7dc4e0548 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok @@ -8,21 +8,22 @@ def testOwnershipTrue() -> bool { field[2] sk = [0, 24537266074035586913841246471742714563414767347802800698790739697702568093815]; bool out = proofOfOwnership(pk, sk); - log("x is {}", out); + assert(out); return true; } -// def testOwnershipFalse() -> bool { -// field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; -// field sk = 10373199597469011642833447973814301035791960523127709637201278600637657954762; -// bool out = proofOfOwnership(pk, sk); +def testOwnershipFalse() -> bool { + field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; + field[2] sk = [1, 18475905664277789456729952520987977663429644364066130483020274925168451465560]; + + bool out = proofOfOwnership(pk, sk); -// assert(!out); -// return true; -// } + assert(!out); + return true; +} def main() { assert(testOwnershipTrue()); - // assert(testOwnershipFalse()); + assert(testOwnershipFalse()); } \ No newline at end of file From 8b6a19f04aa1774d077797dc6edfcfd75bac67cd Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Thu, 22 Jun 2023 23:39:07 +0200 Subject: [PATCH 04/11] remove unnecessary macros --- zokrates_stdlib/stdlib/utils/pack/bool/pack256.zok | 1 - zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok | 2 -- 2 files changed, 3 deletions(-) diff --git a/zokrates_stdlib/stdlib/utils/pack/bool/pack256.zok b/zokrates_stdlib/stdlib/utils/pack/bool/pack256.zok index c84ff0c29..c85e4f3e5 100644 --- a/zokrates_stdlib/stdlib/utils/pack/bool/pack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/bool/pack256.zok @@ -1,4 +1,3 @@ -#pragma curve bn128 import "./pack" as pack; diff --git a/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok index 37311a5cf..1661a1a51 100644 --- a/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok @@ -1,5 +1,3 @@ -#pragma curve bn128 - import "../bool/nonStrictUnpack256" as unpack; import "../../casts/bool_256_to_u32_8" as from_bits; From ae1f1361416bf9d23f1ebe2ff2648a55a74fab54 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Thu, 22 Jun 2023 23:40:15 +0200 Subject: [PATCH 05/11] jubjub signature verification --- .../stdlib/ecc/jubjub/verifyEddsa.zok | 46 +++++++++++++++++++ .../tests/tests/ecc/jubjub/verifyEddsa.json | 16 +++++++ .../tests/tests/ecc/jubjub/verifyEddsa.zok | 19 ++++++++ 3 files changed, 81 insertions(+) create mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.json create mode 100644 zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok new file mode 100644 index 000000000..bb8e5c785 --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok @@ -0,0 +1,46 @@ +import "hashes/sha256/1024bitPadded" as sha256; +import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; +import "utils/pack/u32/nonStrictUnpack256" as unpack256u; +from "utils/casts" import cast; +from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; +from "./params" import EDWARDS_A, EDWARDS_D, G; + +/// Verifies an EdDSA Signature. +/// +/// Checks the correctness of a given EdDSA Signature (R,S) for the provided +/// public key A and message (M0, M1). +/// This python repo provides the tooling for creating valid signatures: +/// https://github.com/Zokrates/pycrypto +/// +/// For more information see: +/// https://en.wikipedia.org/wiki/EdDSA +/// https://eprint.iacr.org/2015/677.pdf +/// +/// Arguments: +/// R: Curve point. Hidden version of the per-message nonce. +/// S: Field element. Signature to be verified. +/// A: Curve point. Public part of the key used to create S. +/// M0: 256bit array. First 256bits of the message used to create S. +/// M1: 256bit array. Trailing 256bits of the message used to create S. +/// +/// Returns: +/// Return true for S being a valid EdDSA Signature, false otherwise. +def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { + // Check if R is on curve and if it is not in a small subgroup. A is public input and can be checked offline + assert(onCurve(R, EDWARDS_A, EDWARDS_D)); // throws if R is not on curve + assert(orderCheck(R, EDWARDS_A, EDWARDS_D)); + + u32[8] Rx = unpack256u(R[0]); + u32[8] Ax = unpack256u(A[0]); + + u32[8] h = sha256(Rx, Ax, M0, M1); + bool[256] hRAM = cast(h); + + bool[256] sBits = unpack256bool(S); + field[2] lhs = scalarMul(sBits, G, EDWARDS_A, EDWARDS_D); + + field[2] AhRAM = scalarMul(hRAM, A, EDWARDS_A, EDWARDS_D); + field[2] rhs = add(R, AhRAM, EDWARDS_A, EDWARDS_D); + + return (rhs[0] == lhs[0] && rhs[1] == lhs[1]); +} \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.json b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.json new file mode 100644 index 000000000..98b1e734d --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.json @@ -0,0 +1,16 @@ +{ + "entry_point": "./tests/tests/ecc/jubjub/verifyEddsa.zok", + "curves": ["Bls12_381"], + "tests": [ + { + "input": { + "values": [] + }, + "output": { + "Ok": { + "value": [] + } + } + } + ] +} diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok new file mode 100644 index 000000000..aebb79822 --- /dev/null +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok @@ -0,0 +1,19 @@ +import "ecc/jubjub/verifyEddsa" as verifyEddsa; +import "ecc/babyjubjub/compress" as compress; +import "utils/pack/bool/pack256" as pack256; + +// Code to create test case: +// https://github.com/Zokrates/pycrypto +def main() { + field[2] R = [32866767109220564315580607107081162920517672350707254238793964527466586251974, 31852087390335520207922973662676180854641055992940928475111512263314053365736]; + field S = 43627586196239283173178511316555190744314536456808505435494185841008559853678; + + // Public Key + field[2] A = [26479653887939839327536384197110148123933856719900448942651733342668343953867, 21757919891968253927635241665494706427345455214116275076018069565740804326091]; + + u32[8] M0 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + u32[8] M1 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005]; + + bool isVerified = verifyEddsa(R, S, A, M0, M1); + assert(isVerified); +} \ No newline at end of file From f38f09c9cf49acd18646ca6ab962371a6dccc2ab Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 27 Jun 2023 14:43:01 +0200 Subject: [PATCH 06/11] valid signature verification for low values --- .../tests/tests/ecc/jubjub/verifyEddsa.zok | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok index aebb79822..3d82f075d 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok @@ -5,11 +5,18 @@ import "utils/pack/bool/pack256" as pack256; // Code to create test case: // https://github.com/Zokrates/pycrypto def main() { - field[2] R = [32866767109220564315580607107081162920517672350707254238793964527466586251974, 31852087390335520207922973662676180854641055992940928475111512263314053365736]; - field S = 43627586196239283173178511316555190744314536456808505435494185841008559853678; + + // TODO: Jubjub currently work only for keys <=254 bit long + // With the following keys should also work: + // field[2] R = [32866767109220564315580607107081162920517672350707254238793964527466586251974, 31852087390335520207922973662676180854641055992940928475111512263314053365736]; + // field S = 43627586196239283173178511316555190744314536456808505435494185841008559853678; + // field[2] A = [26479653887939839327536384197110148123933856719900448942651733342668343953867, 21757919891968253927635241665494706427345455214116275076018069565740804326091]; + + field[2] R = [22490636668646525942229915433486323453438020635284373216128437835524621360673, 12624871741136060820677763385435731993497076701049783026530291333628743153148]; + field S = 4726755026051608078555693269742820684994756545022776898606146042065180474766; // Public Key - field[2] A = [26479653887939839327536384197110148123933856719900448942651733342668343953867, 21757919891968253927635241665494706427345455214116275076018069565740804326091]; + field[2] A = [2448502067502868941604870117226902939301253140620644024854137332469457672501, 13461260963687082967268176292121237897132924185324950183385550823033303781608]; u32[8] M0 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; u32[8] M1 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005]; From b4a349c11b93918aa9d2283a870833af24bb2907 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 27 Jun 2023 15:11:39 +0200 Subject: [PATCH 07/11] Revert "remove pragma macro from nonStrictUnpack256" This reverts commit a741f9e8f99731caac4446cbbd1dad2573ae4227. --- zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok | 1 + 1 file changed, 1 insertion(+) diff --git a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok index 639450da1..c0f0b81c7 100644 --- a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok @@ -1,3 +1,4 @@ +#pragma curve bn128 import "./unpack_unchecked"; From dc59cd5e572c62306d50a76345abff79a140504c Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 27 Jun 2023 16:43:07 +0200 Subject: [PATCH 08/11] jubjub proofOfOwnership and signature verification --- .../stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok | 11 +++++++++++ .../stdlib/ecc/jubjub/nonStrictUnpack256u32.zok | 9 +++++++++ .../stdlib/ecc/jubjub/proofOfOwnership.zok | 6 +++--- zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok | 4 ++-- .../tests/tests/ecc/jubjub/proofOfOwnership.zok | 4 ++-- .../tests/tests/ecc/jubjub/verifyEddsa.zok | 12 ++++-------- 6 files changed, 31 insertions(+), 15 deletions(-) create mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok create mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok new file mode 100644 index 000000000..df8b6df49 --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok @@ -0,0 +1,11 @@ +#pragma curve bls12_381 + +import "utils/pack/bool/unpack_unchecked"; + +// Unpack a field element as 256 big-endian bits +// Note: uniqueness of the output is not guaranteed +// For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` +def main(field i) -> bool[256] { + bool[255] b = unpack_unchecked(i); + return [false, ...b]; +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok new file mode 100644 index 000000000..6ca34030e --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok @@ -0,0 +1,9 @@ +import "./nonStrictUnpack256u32" as unpack; +import "utils/casts/bool_256_to_u32_8" as from_bits; + +// Unpack a field element as a u32[8] (big-endian) +// Note: uniqueness of the output is not guaranteed +// For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` +def main(field i) -> u32[8] { + return from_bits(unpack(i)); +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok index d584fb290..2a2992c88 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok @@ -1,4 +1,4 @@ -import "../babyjubjub/compress" as compress; +import "./nonStrictUnpack256Bool" as unpack256bool; from "./params" import EDWARDS_A, EDWARDS_D, G; from "ecc/edwards" import scalarMul; @@ -14,9 +14,9 @@ from "ecc/edwards" import scalarMul; /// sk: Private key /// /// Returns true for pk/sk being a valid keypair, false otherwise. -def main(field[2] pk, field[2] sk) -> bool { +def main(field[2] pk, field sk) -> bool { // jubjub sk may not fit in bool[254], that why we use compress rather than nonStrictUnpack256 - bool[256] sk_bits = compress(sk); + bool[256] sk_bits = unpack256bool(sk); field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); return (res[0] == pk[0] && res[1] == pk[1]); } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok index bb8e5c785..df5c6cec9 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok @@ -1,8 +1,8 @@ import "hashes/sha256/1024bitPadded" as sha256; -import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; -import "utils/pack/u32/nonStrictUnpack256" as unpack256u; from "utils/casts" import cast; from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; +import "./nonStrictUnpack256Bool" as unpack256bool; +import "./nonStrictUnpack256u32" as unpack256u; from "./params" import EDWARDS_A, EDWARDS_D, G; /// Verifies an EdDSA Signature. diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok index 7dc4e0548..ab61865cc 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok @@ -5,7 +5,7 @@ from "ecc/edwards" import scalarMul; // https://github.com/Zokrates/pycrypto def testOwnershipTrue() -> bool { field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; - field[2] sk = [0, 24537266074035586913841246471742714563414767347802800698790739697702568093815]; + field sk = 24537266074035586913841246471742714563414767347802800698790739697702568093815; bool out = proofOfOwnership(pk, sk); @@ -15,7 +15,7 @@ def testOwnershipTrue() -> bool { def testOwnershipFalse() -> bool { field[2] pk = [14197449566532409051373899088449039913101429151158365207762164998470111126084, 39815292783067036895376009933490224522172606808755118734518018525613835149403]; - field[2] sk = [1, 18475905664277789456729952520987977663429644364066130483020274925168451465560]; + field sk = 47423927973606838312622698773159954626747140530476271492884670927146733875544; bool out = proofOfOwnership(pk, sk); diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok index 3d82f075d..6cad9a899 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok @@ -8,15 +8,11 @@ def main() { // TODO: Jubjub currently work only for keys <=254 bit long // With the following keys should also work: - // field[2] R = [32866767109220564315580607107081162920517672350707254238793964527466586251974, 31852087390335520207922973662676180854641055992940928475111512263314053365736]; - // field S = 43627586196239283173178511316555190744314536456808505435494185841008559853678; - // field[2] A = [26479653887939839327536384197110148123933856719900448942651733342668343953867, 21757919891968253927635241665494706427345455214116275076018069565740804326091]; - - field[2] R = [22490636668646525942229915433486323453438020635284373216128437835524621360673, 12624871741136060820677763385435731993497076701049783026530291333628743153148]; - field S = 4726755026051608078555693269742820684994756545022776898606146042065180474766; - + field[2] R = [32866767109220564315580607107081162920517672350707254238793964527466586251974, 31852087390335520207922973662676180854641055992940928475111512263314053365736]; + field S = 43627586196239283173178511316555190744314536456808505435494185841008559853678; + // Public Key - field[2] A = [2448502067502868941604870117226902939301253140620644024854137332469457672501, 13461260963687082967268176292121237897132924185324950183385550823033303781608]; + field[2] A = [26479653887939839327536384197110148123933856719900448942651733342668343953867, 21757919891968253927635241665494706427345455214116275076018069565740804326091]; u32[8] M0 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; u32[8] M1 = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005]; From 5b5af49b42a2af4d0eccce71019dc14f48817002 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 4 Jul 2023 12:57:58 +0200 Subject: [PATCH 09/11] nunStrictUnpack256 refactor to support 255-bits fields from bls12_381 --- .../tests/tests/arrays/fun_spread.zok | 2 +- .../stdlib/ecc/babyjubjub/compress.zok | 4 +-- .../ecc/babyjubjub/proofOfOwnership.zok | 2 +- .../stdlib/ecc/babyjubjub/verifyEddsa.zok | 6 ++--- .../ecc/jubjub/nonStrictUnpack256Bool.zok | 11 -------- .../ecc/jubjub/nonStrictUnpack256u32.zok | 9 ------- .../stdlib/ecc/jubjub/proofOfOwnership.zok | 5 ++-- .../stdlib/ecc/jubjub/verifyEddsa.zok | 10 +++---- .../utils/pack/bool/nonStrictUnpack256.zok | 10 +++---- .../utils/pack/u32/nonStrictUnpack256.zok | 4 +-- .../tests/tests/ecc/jubjub/verifyEddsa.zok | 1 - .../utils/pack/bool/nonStrictUnpack256.json | 2 +- .../utils/pack/bool/nonStrictUnpack256.zok | 26 ++++++++++++++++--- .../utils/pack/u32/nonStrictUnpack256.json | 2 +- .../utils/pack/u32/nonStrictUnpack256.zok | 23 +++++++++++++--- zokrates_test/tests/out_of_range.rs | 2 +- 16 files changed, 65 insertions(+), 54 deletions(-) delete mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok diff --git a/zokrates_core_test/tests/tests/arrays/fun_spread.zok b/zokrates_core_test/tests/tests/arrays/fun_spread.zok index 7a2ccd905..861c05368 100644 --- a/zokrates_core_test/tests/tests/arrays/fun_spread.zok +++ b/zokrates_core_test/tests/tests/arrays/fun_spread.zok @@ -1,6 +1,6 @@ import "utils/pack/bool/nonStrictUnpack256.zok" as unpack256; def main(field[2] inputs) -> bool[512] { - bool[512] preimage512 = [...unpack256(inputs[0]), ...unpack256(inputs[1])]; + bool[512] preimage512 = [...unpack256(inputs[0], 254), ...unpack256(inputs[1], 254)]; return preimage512; } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok index 4351b36ac..9bcc819b5 100644 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok @@ -10,8 +10,8 @@ def main(field[2] pt) -> bool[256] { field x = pt[0]; field y = pt[1]; - bool[256] xBits = unpack256(x); - bool[256] mut yBits = unpack256(y); + bool[256] xBits = unpack256(x, 254); + bool[256] mut yBits = unpack256(y, 254); bool sign = xBits[255]; yBits[0] = sign; diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok index 53f09125c..a4546ce01 100644 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok @@ -15,7 +15,7 @@ from "ecc/edwards" import scalarMul; /// /// Returns true for pk/sk being a valid keypair, false otherwise. def main(field[2] pk, field sk) -> bool { - bool[256] sk_bits = unpack256(sk); + bool[256] sk_bits = unpack256(sk, 254); field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); return (res[0] == pk[0] && res[1] == pk[1]); } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok index bb8e5c785..ebfc07a00 100644 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok @@ -30,13 +30,13 @@ def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { assert(onCurve(R, EDWARDS_A, EDWARDS_D)); // throws if R is not on curve assert(orderCheck(R, EDWARDS_A, EDWARDS_D)); - u32[8] Rx = unpack256u(R[0]); - u32[8] Ax = unpack256u(A[0]); + u32[8] Rx = unpack256u(R[0], 254); + u32[8] Ax = unpack256u(A[0], 254); u32[8] h = sha256(Rx, Ax, M0, M1); bool[256] hRAM = cast(h); - bool[256] sBits = unpack256bool(S); + bool[256] sBits = unpack256bool(S, 254); field[2] lhs = scalarMul(sBits, G, EDWARDS_A, EDWARDS_D); field[2] AhRAM = scalarMul(hRAM, A, EDWARDS_A, EDWARDS_D); diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok deleted file mode 100644 index df8b6df49..000000000 --- a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256Bool.zok +++ /dev/null @@ -1,11 +0,0 @@ -#pragma curve bls12_381 - -import "utils/pack/bool/unpack_unchecked"; - -// Unpack a field element as 256 big-endian bits -// Note: uniqueness of the output is not guaranteed -// For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` -def main(field i) -> bool[256] { - bool[255] b = unpack_unchecked(i); - return [false, ...b]; -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok b/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok deleted file mode 100644 index 6ca34030e..000000000 --- a/zokrates_stdlib/stdlib/ecc/jubjub/nonStrictUnpack256u32.zok +++ /dev/null @@ -1,9 +0,0 @@ -import "./nonStrictUnpack256u32" as unpack; -import "utils/casts/bool_256_to_u32_8" as from_bits; - -// Unpack a field element as a u32[8] (big-endian) -// Note: uniqueness of the output is not guaranteed -// For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` -def main(field i) -> u32[8] { - return from_bits(unpack(i)); -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok index 2a2992c88..fef53a3d0 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok @@ -1,4 +1,4 @@ -import "./nonStrictUnpack256Bool" as unpack256bool; +import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; from "./params" import EDWARDS_A, EDWARDS_D, G; from "ecc/edwards" import scalarMul; @@ -15,8 +15,7 @@ from "ecc/edwards" import scalarMul; /// /// Returns true for pk/sk being a valid keypair, false otherwise. def main(field[2] pk, field sk) -> bool { - // jubjub sk may not fit in bool[254], that why we use compress rather than nonStrictUnpack256 - bool[256] sk_bits = unpack256bool(sk); + bool[256] sk_bits = unpack256bool(sk, 255); field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); return (res[0] == pk[0] && res[1] == pk[1]); } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok index df5c6cec9..3ed8b317c 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok @@ -1,8 +1,8 @@ import "hashes/sha256/1024bitPadded" as sha256; +import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; +import "utils/pack/u32/nonStrictUnpack256" as unpack256u; from "utils/casts" import cast; from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; -import "./nonStrictUnpack256Bool" as unpack256bool; -import "./nonStrictUnpack256u32" as unpack256u; from "./params" import EDWARDS_A, EDWARDS_D, G; /// Verifies an EdDSA Signature. @@ -30,13 +30,13 @@ def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { assert(onCurve(R, EDWARDS_A, EDWARDS_D)); // throws if R is not on curve assert(orderCheck(R, EDWARDS_A, EDWARDS_D)); - u32[8] Rx = unpack256u(R[0]); - u32[8] Ax = unpack256u(A[0]); + u32[8] Rx = unpack256u(R[0], 255); + u32[8] Ax = unpack256u(A[0], 255); u32[8] h = sha256(Rx, Ax, M0, M1); bool[256] hRAM = cast(h); - bool[256] sBits = unpack256bool(S); + bool[256] sBits = unpack256bool(S, 255); field[2] lhs = scalarMul(sBits, G, EDWARDS_A, EDWARDS_D); field[2] AhRAM = scalarMul(hRAM, A, EDWARDS_A, EDWARDS_D); diff --git a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok index c0f0b81c7..6ba5a8662 100644 --- a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok @@ -1,11 +1,11 @@ -#pragma curve bn128 - import "./unpack_unchecked"; // Unpack a field element as 256 big-endian bits // Note: uniqueness of the output is not guaranteed // For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` -def main(field i) -> bool[256] { - bool[254] b = unpack_unchecked(i); - return [false, false, ...b]; +def main(field i, u32 bit_size) -> bool[256] { + assert(bit_size == 254 || bit_size == 255); + u32 padding_size = 256 - bit_size; + bool[bit_size] b = unpack_unchecked(i); + return [...[false; padding_size], ...b]; } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok index 1661a1a51..3a3a70039 100644 --- a/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/u32/nonStrictUnpack256.zok @@ -4,6 +4,6 @@ import "../../casts/bool_256_to_u32_8" as from_bits; // Unpack a field element as a u32[8] (big-endian) // Note: uniqueness of the output is not guaranteed // For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` -def main(field i) -> u32[8] { - return from_bits(unpack(i)); +def main(field i, u32 bit_size) -> u32[8] { + return from_bits(unpack(i, bit_size)); } \ No newline at end of file diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok index 6cad9a899..2438f6c65 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok @@ -1,5 +1,4 @@ import "ecc/jubjub/verifyEddsa" as verifyEddsa; -import "ecc/babyjubjub/compress" as compress; import "utils/pack/bool/pack256" as pack256; // Code to create test case: diff --git a/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.json b/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.json index dc6f88bd7..e7c734581 100644 --- a/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.json +++ b/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.json @@ -1,6 +1,6 @@ { "entry_point": "./tests/tests/utils/pack/bool/nonStrictUnpack256.zok", - "curves": ["Bn128"], + "curves": ["Bls12_381"], "tests": [ { "input": { diff --git a/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.zok b/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.zok index 9cd9694ad..8e8746b26 100644 --- a/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.zok +++ b/zokrates_stdlib/tests/tests/utils/pack/bool/nonStrictUnpack256.zok @@ -1,26 +1,44 @@ import "utils/pack/bool/nonStrictUnpack256" as unpack256; def testFive() -> bool { - bool[256] b = unpack256(5); + bool[256] b = unpack256(5, 254); assert(b == [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false, true]); + + bool[256] b = unpack256(5, 255); + assert(b == [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, true, false, true]); + return true; } def testZero() -> bool { - bool[256] b = unpack256(0); + bool[256] b = unpack256(0, 254); + assert(b == [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false]); + + bool[256] b = unpack256(0, 255); assert(b == [false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false]); + return true; } def testLarge() -> bool { - bool[256] b = unpack256(14474011154664524427946373126085988481658748083205070504932198000989141204991); + bool[256] b = unpack256(14474011154664524427946373126085988481658748083205070504932198000989141204991, 254); assert(b == [false, false, false, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true]); + + bool[256] b = unpack256(28948022309329048855892746252171976963317496166410141009864396001978282409983, 255); + assert(b == [false, false, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true]); + return true; } def testMax() -> bool { - bool[256] b = unpack256(21888242871839275222246405745257275088548364400416034343698204186575808495616); + // bn128 + bool[256] b = unpack256(21888242871839275222246405745257275088548364400416034343698204186575808495616, 254); assert(b == [false, false, true, true, false, false, false, false, false, true, true, false, false, true, false, false, false, true, false, false, true, true, true, false, false, true, true, true, false, false, true, false, true, true, true, false, false, false, false, true, false, false, true, true, false, false, false, true, true, false, true, false, false, false, false, false, false, false, true, false, true, false, false, true, true, false, true, true, true, false, false, false, false, true, false, true, false, false, false, false, false, true, false, false, false, true, false, true, true, false, true, true, false, true, true, false, true, false, false, false, false, false, false, true, true, false, false, false, false, false, false, true, false, true, false, true, true, false, false, false, false, true, false, true, true, true, false, true, false, false, true, false, true, false, false, false, false, false, true, true, false, false, true, true, true, true, true, false, true, false, false, false, false, true, false, false, true, false, false, false, false, true, true, true, true, false, false, true, true, false, true, true, true, false, false, true, false, true, true, true, false, false, false, false, true, false, false, true, false, false, false, true, false, true, false, false, false, false, true, true, true, true, true, false, false, false, false, true, true, true, true, true, false, true, false, true, true, false, false, true, false, false, true, true, true, true, true, true, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false]); + + // bls12_381 + bool[256] b = unpack256(52435875175126190479447740508185965837690552500527637822603658699938581184512, 255); + assert(b == [false, true, true, true, false, false, true, true, true, true, true, false, true, true, false, true, true, false, true, false, false, true, true, true, false, true, false, true, false, false, true, true, false, false, true, false, true, false, false, true, true, false, false, true, true, true, false, true, false, true, true, true, true, true, false, true, false, true, false, false, true, false, false, false, false, false, true, true, false, false, true, true, false, false, true, true, true, false, false, true, true, true, false, true, true, false, false, false, false, false, false, false, true, false, false, false, false, false, false, false, true, false, false, true, true, false, true, false, false, false, false, true, true, true, false, true, true, false, false, false, false, false, false, false, false, true, false, true, false, true, false, true, false, false, true, true, true, false, true, true, true, true, false, true, true, false, true, false, false, true, false, false, false, false, false, false, false, false, true, false, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, false, false, true, false, true, true, false, true, true, true, true, true, true, true, true, true, false, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, true, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false, false]); + return true; } diff --git a/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.json b/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.json index 00815fc75..5a8dc41e3 100644 --- a/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.json +++ b/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.json @@ -1,6 +1,6 @@ { "entry_point": "./tests/tests/utils/pack/u32/nonStrictUnpack256.zok", - "curves": ["Bn128"], + "curves": ["Bls12_381"], "tests": [ { "input": { diff --git a/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.zok b/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.zok index 4a865fb6e..67be9afda 100644 --- a/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.zok +++ b/zokrates_stdlib/tests/tests/utils/pack/u32/nonStrictUnpack256.zok @@ -1,26 +1,41 @@ import "utils/pack/u32/nonStrictUnpack256" as unpack256; def testFive() -> bool { - u32[8] b = unpack256(5); + u32[8] b = unpack256(5, 254); assert(b == [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005]); + + u32[8] b = unpack256(5, 255); + assert(b == [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005]); + return true; } def testZero() -> bool { - u32[8] b = unpack256(0); + u32[8] b = unpack256(0, 254); + assert(b == [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]); + + u32[8] b = unpack256(0, 255); assert(b == [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]); return true; } def testLarge() -> bool { - u32[8] b = unpack256(14474011154664524427946373126085988481658748083205070504932198000989141204991); + u32[8] b = unpack256(14474011154664524427946373126085988481658748083205070504932198000989141204991, 254); assert(b == [0x1fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff]); + + u32[8] b = unpack256(28948022309329048855892746252171976963317496166410141009864396001978282409983, 255); + assert(b == [0x3fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff]); return true; } def testMax() -> bool { - u32[8] b = unpack256(21888242871839275222246405745257275088548364400416034343698204186575808495616); + // bn128 + u32[8] b = unpack256(21888242871839275222246405745257275088548364400416034343698204186575808495616, 254); assert(b == [0x30644e72, 0xe131a029, 0xb85045b6, 0x8181585d, 0x2833e848, 0x79b97091, 0x43e1f593, 0xf0000000]); + + // bls12_381 + u32[8] b = unpack256(52435875175126190479447740508185965837690552500527637822603658699938581184512, 255); + assert(b == [0x73eda753, 0x299d7d48, 0x3339d808, 0x09a1d805, 0x53bda402, 0xfffe5bfe, 0xffffffff, 0x00000000]); return true; } diff --git a/zokrates_test/tests/out_of_range.rs b/zokrates_test/tests/out_of_range.rs index ea2800252..730485ae7 100644 --- a/zokrates_test/tests/out_of_range.rs +++ b/zokrates_test/tests/out_of_range.rs @@ -133,7 +133,7 @@ fn unpack256_unchecked() { import "utils/pack/bool/nonStrictUnpack256"; def main(private field a) { - bool[256] bits = nonStrictUnpack256(a); + bool[256] bits = nonStrictUnpack256(a, 254); assert(bits[255]); return; } From 4fbc5c584e163ddaeb6da11c479051af42cdb75d Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Tue, 4 Jul 2023 13:44:04 +0200 Subject: [PATCH 10/11] stdlib ecc module refactor to facilitate the addition signatures from other curves --- zokrates_stdlib/stdlib/ecc/babyjubjub.zok | 46 +++++++++++++++++++ .../stdlib/ecc/babyjubjub/compress.zok | 20 -------- .../stdlib/ecc/babyjubjub/params.zok | 13 ------ .../stdlib/ecc/babyjubjub/verifyEddsa.zok | 46 ------------------- .../ecc/{jubjub/params.zok => jubjub.zok} | 20 +++++++- .../stdlib/ecc/jubjub/proofOfOwnership.zok | 21 --------- .../ecc/{babyjubjub => }/proofOfOwnership.zok | 5 +- .../stdlib/ecc/{jubjub => }/verifyEddsa.zok | 9 ++-- .../stdlib/hashes/pedersen/512bitBool.zok | 3 +- .../tests/tests/ecc/babyjubjub/compress.zok | 3 +- .../tests/tests/ecc/babyjubjub/edwardsAdd.zok | 2 +- .../tests/ecc/babyjubjub/edwardsOnCurve.zok | 2 +- .../ecc/babyjubjub/edwardsOrderCheck.zok | 2 +- .../ecc/babyjubjub/edwardsScalarMult.zok | 2 +- .../tests/ecc/babyjubjub/proofOfOwnership.zok | 4 +- .../tests/ecc/babyjubjub/verifyEddsa.zok | 2 +- .../tests/tests/ecc/jubjub/edwardsAdd.zok | 2 +- .../tests/tests/ecc/jubjub/edwardsOnCurve.zok | 2 +- .../tests/ecc/jubjub/edwardsOrderCheck.zok | 2 +- .../tests/ecc/jubjub/edwardsScalarMult.zok | 2 +- .../tests/ecc/jubjub/proofOfOwnership.zok | 4 +- .../tests/tests/ecc/jubjub/verifyEddsa.zok | 4 +- 22 files changed, 88 insertions(+), 128 deletions(-) create mode 100644 zokrates_stdlib/stdlib/ecc/babyjubjub.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok delete mode 100644 zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok rename zokrates_stdlib/stdlib/ecc/{jubjub/params.zok => jubjub.zok} (53%) delete mode 100644 zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok rename zokrates_stdlib/stdlib/ecc/{babyjubjub => }/proofOfOwnership.zok (80%) rename zokrates_stdlib/stdlib/ecc/{jubjub => }/verifyEddsa.zok (85%) diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub.zok new file mode 100644 index 000000000..2df5ec0f8 --- /dev/null +++ b/zokrates_stdlib/stdlib/ecc/babyjubjub.zok @@ -0,0 +1,46 @@ +#pragma curve bn128 + +import "./proofOfOwnership" as edwardsProofOfOwnership; +import "./verifyEddsa" as edwardsSignature; +import "utils/pack/bool/nonStrictUnpack256" as unpack256; + + +// The `a` coefficient of the twisted Edwards curve +const field EDWARDS_A = 168700; + +// The `d` coefficient of the twisted Edwards curve +const field EDWARDS_D = 168696; + +// The generator point +const field[2] G = [ + 16540640123574156134436876038791482806971768689494387082833631921987005038935, // Gx + 20819045374670962167435360035096875258406992893633759881276124905556507972311 // Gy +]; + +const u32 bit_size = 254; + + +def proofOfOwnership(field[2] pk, field sk) -> bool { + + return edwardsProofOfOwnership(pk, sk, G, EDWARDS_A, EDWARDS_D, bit_size); +} + + +def verifyEddsa(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { + + return edwardsSignature(R, S, A, M0, M1, G, EDWARDS_A, EDWARDS_D, bit_size); +} + + +def compress(field[2] pt) -> bool[256] { + field x = pt[0]; + field y = pt[1]; + + bool[256] xBits = unpack256(x, 254); + bool[256] mut yBits = unpack256(y, 254); + + bool sign = xBits[255]; + yBits[0] = sign; + + return yBits; +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok deleted file mode 100644 index 9bcc819b5..000000000 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/compress.zok +++ /dev/null @@ -1,20 +0,0 @@ -import "utils/pack/bool/nonStrictUnpack256" as unpack256; - -// Compress curve point to a 256-bit boolean array using the big-endian bit order -// Python code reference: -// def compress(self): -// x = self.x.n -// y = self.y.n -// return int.to_bytes(y | ((x & 1) << 255), 32, "big") -def main(field[2] pt) -> bool[256] { - field x = pt[0]; - field y = pt[1]; - - bool[256] xBits = unpack256(x, 254); - bool[256] mut yBits = unpack256(y, 254); - - bool sign = xBits[255]; - yBits[0] = sign; - - return yBits; -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok deleted file mode 100644 index 6dd695dd1..000000000 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/params.zok +++ /dev/null @@ -1,13 +0,0 @@ -#pragma curve bn128 - -// The `a` coefficient of the twisted Edwards curve -const field EDWARDS_A = 168700; - -// The `d` coefficient of the twisted Edwards curve -const field EDWARDS_D = 168696; - -// The generator point -const field[2] G = [ - 16540640123574156134436876038791482806971768689494387082833631921987005038935, // Gx - 20819045374670962167435360035096875258406992893633759881276124905556507972311 // Gy -]; \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok deleted file mode 100644 index ebfc07a00..000000000 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/verifyEddsa.zok +++ /dev/null @@ -1,46 +0,0 @@ -import "hashes/sha256/1024bitPadded" as sha256; -import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; -import "utils/pack/u32/nonStrictUnpack256" as unpack256u; -from "utils/casts" import cast; -from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; -from "./params" import EDWARDS_A, EDWARDS_D, G; - -/// Verifies an EdDSA Signature. -/// -/// Checks the correctness of a given EdDSA Signature (R,S) for the provided -/// public key A and message (M0, M1). -/// This python repo provides the tooling for creating valid signatures: -/// https://github.com/Zokrates/pycrypto -/// -/// For more information see: -/// https://en.wikipedia.org/wiki/EdDSA -/// https://eprint.iacr.org/2015/677.pdf -/// -/// Arguments: -/// R: Curve point. Hidden version of the per-message nonce. -/// S: Field element. Signature to be verified. -/// A: Curve point. Public part of the key used to create S. -/// M0: 256bit array. First 256bits of the message used to create S. -/// M1: 256bit array. Trailing 256bits of the message used to create S. -/// -/// Returns: -/// Return true for S being a valid EdDSA Signature, false otherwise. -def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { - // Check if R is on curve and if it is not in a small subgroup. A is public input and can be checked offline - assert(onCurve(R, EDWARDS_A, EDWARDS_D)); // throws if R is not on curve - assert(orderCheck(R, EDWARDS_A, EDWARDS_D)); - - u32[8] Rx = unpack256u(R[0], 254); - u32[8] Ax = unpack256u(A[0], 254); - - u32[8] h = sha256(Rx, Ax, M0, M1); - bool[256] hRAM = cast(h); - - bool[256] sBits = unpack256bool(S, 254); - field[2] lhs = scalarMul(sBits, G, EDWARDS_A, EDWARDS_D); - - field[2] AhRAM = scalarMul(hRAM, A, EDWARDS_A, EDWARDS_D); - field[2] rhs = add(R, AhRAM, EDWARDS_A, EDWARDS_D); - - return (rhs[0] == lhs[0] && rhs[1] == lhs[1]); -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/params.zok b/zokrates_stdlib/stdlib/ecc/jubjub.zok similarity index 53% rename from zokrates_stdlib/stdlib/ecc/jubjub/params.zok rename to zokrates_stdlib/stdlib/ecc/jubjub.zok index c4273750f..89eb6e9a0 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/params.zok +++ b/zokrates_stdlib/stdlib/ecc/jubjub.zok @@ -1,5 +1,9 @@ #pragma curve bls12_381 +import "./proofOfOwnership" as edwardsProofOfOwnership; +import "./verifyEddsa" as edwardsSignature; + + // The `a` coefficient of the twisted Edwards curve const field EDWARDS_A = -1; @@ -10,4 +14,18 @@ const field EDWARDS_D = 19257038036680949359750312669786877991949435402254120286 const field[2] G = [ 11076627216317271660298050606127911965867021807910416450833192264015104452986, // Gx 44412834903739585386157632289020980010620626017712148233229312325549216099227 // Gy -]; \ No newline at end of file +]; + +const u32 bit_size = 255; + + +def proofOfOwnership(field[2] pk, field sk) -> bool { + + return edwardsProofOfOwnership(pk, sk, G, EDWARDS_A, EDWARDS_D, bit_size); +} + + +def verifyEddsa(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { + + return edwardsSignature(R, S, A, M0, M1, G, EDWARDS_A, EDWARDS_D, bit_size); +} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok deleted file mode 100644 index fef53a3d0..000000000 --- a/zokrates_stdlib/stdlib/ecc/jubjub/proofOfOwnership.zok +++ /dev/null @@ -1,21 +0,0 @@ -import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; -from "./params" import EDWARDS_A, EDWARDS_D, G; -from "ecc/edwards" import scalarMul; - -/// Verifies match of a given public/private keypair. -/// -/// Checks if the following equation holds for the provided keypair: -/// pk = sk*G -/// where G is the chosen base point of the subgroup -/// and * denotes scalar multiplication in the subgroup -/// -/// Arguments: -/// pk: Curve point (public key) -/// sk: Private key -/// -/// Returns true for pk/sk being a valid keypair, false otherwise. -def main(field[2] pk, field sk) -> bool { - bool[256] sk_bits = unpack256bool(sk, 255); - field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); - return (res[0] == pk[0] && res[1] == pk[1]); -} \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok b/zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok similarity index 80% rename from zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok rename to zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok index a4546ce01..7642737e2 100644 --- a/zokrates_stdlib/stdlib/ecc/babyjubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/stdlib/ecc/proofOfOwnership.zok @@ -1,5 +1,4 @@ import "utils/pack/bool/nonStrictUnpack256" as unpack256; -from "./params" import EDWARDS_A, EDWARDS_D, G; from "ecc/edwards" import scalarMul; /// Verifies match of a given public/private keypair. @@ -14,8 +13,8 @@ from "ecc/edwards" import scalarMul; /// sk: Private key /// /// Returns true for pk/sk being a valid keypair, false otherwise. -def main(field[2] pk, field sk) -> bool { - bool[256] sk_bits = unpack256(sk, 254); +def main(field[2] pk, field sk, field[2] G, field EDWARDS_A, field EDWARDS_D, u32 bit_size) -> bool { + bool[256] sk_bits = unpack256(sk, bit_size); field[2] res = scalarMul(sk_bits, G, EDWARDS_A, EDWARDS_D); return (res[0] == pk[0] && res[1] == pk[1]); } \ No newline at end of file diff --git a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/stdlib/ecc/verifyEddsa.zok similarity index 85% rename from zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok rename to zokrates_stdlib/stdlib/ecc/verifyEddsa.zok index 3ed8b317c..51103e745 100644 --- a/zokrates_stdlib/stdlib/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/stdlib/ecc/verifyEddsa.zok @@ -3,7 +3,6 @@ import "utils/pack/bool/nonStrictUnpack256" as unpack256bool; import "utils/pack/u32/nonStrictUnpack256" as unpack256u; from "utils/casts" import cast; from "ecc/edwards" import add, scalarMul, onCurve, orderCheck; -from "./params" import EDWARDS_A, EDWARDS_D, G; /// Verifies an EdDSA Signature. /// @@ -25,18 +24,18 @@ from "./params" import EDWARDS_A, EDWARDS_D, G; /// /// Returns: /// Return true for S being a valid EdDSA Signature, false otherwise. -def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1) -> bool { +def main(field[2] R, field S, field[2] A, u32[8] M0, u32[8] M1, field[2] G, field EDWARDS_A, field EDWARDS_D, u32 bit_size) -> bool { // Check if R is on curve and if it is not in a small subgroup. A is public input and can be checked offline assert(onCurve(R, EDWARDS_A, EDWARDS_D)); // throws if R is not on curve assert(orderCheck(R, EDWARDS_A, EDWARDS_D)); - u32[8] Rx = unpack256u(R[0], 255); - u32[8] Ax = unpack256u(A[0], 255); + u32[8] Rx = unpack256u(R[0], bit_size); + u32[8] Ax = unpack256u(A[0], bit_size); u32[8] h = sha256(Rx, Ax, M0, M1); bool[256] hRAM = cast(h); - bool[256] sBits = unpack256bool(S, 255); + bool[256] sBits = unpack256bool(S, bit_size); field[2] lhs = scalarMul(sBits, G, EDWARDS_A, EDWARDS_D); field[2] AhRAM = scalarMul(hRAM, A, EDWARDS_A, EDWARDS_D); diff --git a/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok b/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok index aa9a62afb..0e1786a0b 100644 --- a/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok +++ b/zokrates_stdlib/stdlib/hashes/pedersen/512bitBool.zok @@ -1,8 +1,7 @@ import "utils/multiplexer/lookup3bitSigned" as sel3s; import "utils/multiplexer/lookup2bit" as sel2; -import "ecc/babyjubjub/compress"; from "ecc/edwards" import add; -from "ecc/babyjubjub/params" import EDWARDS_A, EDWARDS_D; +from "ecc/babyjubjub" import EDWARDS_A, EDWARDS_D, compress; // Code to export generators used in this example: // import bitstring diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok index b74505d43..2f174fe4c 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/compress.zok @@ -1,5 +1,4 @@ -import "ecc/babyjubjub/compress"; -from "ecc/babyjubjub/params" import G; +from "ecc/babyjubjub" import G, compress; // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok index d38391e2b..802c63873 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsAdd.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import add, negate; -from "ecc/babyjubjub/params" import G, EDWARDS_A, EDWARDS_D; +from "ecc/babyjubjub" import G, EDWARDS_A, EDWARDS_D; // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok index 45b14bf8a..6be0b79d7 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOnCurve.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import onCurve; -from "ecc/babyjubjub/params" import EDWARDS_A, EDWARDS_D; +from "ecc/babyjubjub" import EDWARDS_A, EDWARDS_D; // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok index 6d44f2db2..bf16f0bf8 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsOrderCheck.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import orderCheck; -from "ecc/babyjubjub/params" import EDWARDS_A, EDWARDS_D; +from "ecc/babyjubjub" import EDWARDS_A, EDWARDS_D; // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.zok index bcf1efdbb..960acddfe 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/edwardsScalarMult.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import scalarMul as mul; -from "ecc/babyjubjub/params" import G, EDWARDS_A, EDWARDS_D; +from "ecc/babyjubjub" import G, EDWARDS_A, EDWARDS_D; // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.zok index 98c387bff..bacbdae21 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/proofOfOwnership.zok @@ -1,5 +1,5 @@ -import "ecc/babyjubjub/proofOfOwnership" as proofOfOwnership; -from "ecc/edwards" import scalarMul; +from "ecc/babyjubjub" import proofOfOwnership; + // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.zok index e813aa133..ff86dc696 100644 --- a/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.zok +++ b/zokrates_stdlib/tests/tests/ecc/babyjubjub/verifyEddsa.zok @@ -1,4 +1,4 @@ -import "ecc/babyjubjub/verifyEddsa" as verifyEddsa; +from "ecc/babyjubjub" import verifyEddsa; // Code to create test case: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok index 2d72da6dd..4306cfb55 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsAdd.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import add, negate; -from "ecc/jubjub/params" import G, EDWARDS_A, EDWARDS_D; +from "ecc/jubjub" import G, EDWARDS_A, EDWARDS_D; def testDoubleViaAdd() -> bool { field[2] out = add(G, G, EDWARDS_A, EDWARDS_D); diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok index 68e0b0be6..dda5bd262 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOnCurve.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import onCurve; -from "ecc/jubjub/params" import EDWARDS_A, EDWARDS_D; +from "ecc/jubjub" import EDWARDS_A, EDWARDS_D; def main() { field u = 11076627216317271660298050606127911965867021807910416450833192264015104452986; diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok index 93332d861..e6c10e323 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsOrderCheck.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import orderCheck; -from "ecc/jubjub/params" import EDWARDS_A, EDWARDS_D; +from "ecc/jubjub" import EDWARDS_A, EDWARDS_D; def testOrderCheckTrue() -> bool { field u = 11076627216317271660298050606127911965867021807910416450833192264015104452986; diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok index 348b0b977..64590c424 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/edwardsScalarMult.zok @@ -1,5 +1,5 @@ from "ecc/edwards" import scalarMul as mul; -from "ecc/jubjub/params" import G, EDWARDS_A, EDWARDS_D; +from "ecc/jubjub" import G, EDWARDS_A, EDWARDS_D; /* def testCyclic() -> bool { diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok index ab61865cc..ea6b20e6a 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/proofOfOwnership.zok @@ -1,5 +1,5 @@ -import "ecc/jubjub/proofOfOwnership" as proofOfOwnership; -from "ecc/edwards" import scalarMul; +from "ecc/jubjub" import proofOfOwnership; + // Code to create test cases: // https://github.com/Zokrates/pycrypto diff --git a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok index 2438f6c65..ce07cdc51 100644 --- a/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok +++ b/zokrates_stdlib/tests/tests/ecc/jubjub/verifyEddsa.zok @@ -1,5 +1,5 @@ -import "ecc/jubjub/verifyEddsa" as verifyEddsa; -import "utils/pack/bool/pack256" as pack256; +from "ecc/jubjub" import verifyEddsa; + // Code to create test case: // https://github.com/Zokrates/pycrypto From e391fe13237e27509663997629e3a0d0d13b2fc8 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Wed, 27 Sep 2023 14:10:08 +0200 Subject: [PATCH 11/11] review changes applied --- zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok index 6ba5a8662..070a865a9 100644 --- a/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok +++ b/zokrates_stdlib/stdlib/utils/pack/bool/nonStrictUnpack256.zok @@ -4,7 +4,7 @@ import "./unpack_unchecked"; // Note: uniqueness of the output is not guaranteed // For example, `0` can map to `[0, 0, ..., 0]` or to `bits(p)` def main(field i, u32 bit_size) -> bool[256] { - assert(bit_size == 254 || bit_size == 255); + assert(bit_size <= 256); u32 padding_size = 256 - bit_size; bool[bit_size] b = unpack_unchecked(i); return [...[false; padding_size], ...b];