Merge pull request #147 from zk-passport/csca-sha1-rsapss

zk-passport · Jul 14, 2024 · 63bbc67 · 63bbc67
2 parents 6df6ce1 + e1f518a
commit 63bbc67
Show file tree

Hide file tree

Showing 72 changed files with 3,591 additions and 1,686 deletions.
diff --git a/.github/workflows/action.yml b/.github/workflows/action.yml
@@ -0,0 +1,52 @@
+name: Proof of Passport CI/CD
+on:
+  push:
+    branches:
+      - dev
+      - main
+  pull_request:
+    branches:
+      - dev
+      - main
+jobs:
+  run_circuit_tests:
+    runs-on: ubuntu-latest
+    environment: development
+    steps:
+      - uses: actions/checkout@v3
+
+      # Circom installation from https://github.com/erhant/circomkit/blob/main/.github/workflows/tests.yml
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install --yes \
+            build-essential \
+            libgmp-dev \
+            libsodium-dev \
+            nasm \
+            nlohmann-json3-dev
+
+      - name: Set Node.js 18.x
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Download Circom Binary v2.1.8
+        run: |
+          wget -qO /home/runner/work/circom https://github.com/iden3/circom/releases/download/v2.1.8/circom-linux-amd64
+          chmod +x /home/runner/work/circom
+          sudo mv /home/runner/work/circom /bin/circom
+
+      - name: Print Circom version
+        run: circom --version
+
+      - name: Install Yarn dependencies
+        working-directory: ./circuits
+        run: yarn install-circuits --immutable
+
+      - name: Run Tests
+        working-directory: ./circuits
+        run: yarn test
diff --git a/circuits/circuits/disclose.circom → circuits/circuits/disclose/disclose.circom b/circuits/circuits/disclose.circom → circuits/circuits/disclose/disclose.circom
@@ -2,8 +2,8 @@ pragma circom 2.1.5;
 
 include "circomlib/circuits/poseidon.circom";
 include "@zk-email/circuits/utils/bytes.circom";
-include "./utils/isOlderThan.circom";
-include "./utils/isValid.circom";
+include "../utils/isOlderThan.circom";
+include "../utils/isValid.circom";
 include "binary-merkle-root.circom";
 
 template Disclose(nLevels) {

diff --git a/circuits/circuits/dsc/dsc_sha1_rsa.circom b/circuits/circuits/dsc/dsc_sha1_rsa.circom
@@ -0,0 +1,75 @@
+pragma circom 2.1.5;
+include "circomlib/circuits/bitify.circom";
+include "circomlib/circuits/poseidon.circom";
+include "circomlib/circuits/comparators.circom";
+include "binary-merkle-root.circom";
+include "../utils/splitBytesToWords.circom";
+include "../utils/splitSignalsToWords.circom";
+include "../utils/Sha1Bytes.circom";
+include "../utils/leafHasher.circom";
+include "../utils/rsaPkcs1.circom";
+
+template DSC_SHA1_RSA(max_cert_bytes, n_dsc, k_dsc, n_csca, k_csca, dsc_mod_len, nLevels ) {
+    signal input raw_dsc_cert[max_cert_bytes]; 
+    signal input raw_dsc_cert_padded_bytes;
+    signal input csca_modulus[k_csca];
+    signal input dsc_signature[k_csca];
+    signal input dsc_modulus[k_dsc];
+    signal input start_index;
+    signal input secret;
+
+    signal input merkle_root;
+    signal input path[nLevels];
+    signal input siblings[nLevels];
+
+    signal output blinded_dsc_commitment;
+
+    //verify the leaf
+    component leafHasher = LeafHasher(n_csca,k_csca);
+    leafHasher.in <== csca_modulus;
+    signal leaf <== leafHasher.out;
+
+
+    signal computed_merkle_root <== BinaryMerkleRoot(nLevels)(leaf, nLevels, path, siblings);
+    merkle_root === computed_merkle_root;
+
+    // variables verification
+    assert(max_cert_bytes % 64 == 0);
+    assert(n_csca * k_csca > max_cert_bytes);
+    assert(n_csca <= (255 \ 2));
+
+    // hash raw TBS certificate
+    signal sha[160] <== Sha1Bytes(max_cert_bytes)(raw_dsc_cert, raw_dsc_cert_padded_bytes);
+    component sstw_1 = SplitSignalsToWords(1,160, n_csca, k_csca);
+    for (var i = 0; i < 160; i++) {
+        sstw_1.in[i] <== sha[159 - i];
+    }
+
+    //verify RSA dsc_signature
+    component rsa = RSAVerify65537(n_csca, k_csca);
+    for (var i = 0; i < k_csca; i++) {
+        rsa.base_message[i] <== sstw_1.out[i];
+        rsa.modulus[i] <== csca_modulus[i];
+        rsa.signature[i] <== dsc_signature[i];
+    }
+
+    // verify DSC csca_modulus
+    component shiftLeft = VarShiftLeft(max_cert_bytes, dsc_mod_len);
+    shiftLeft.in <== raw_dsc_cert;
+    shiftLeft.shift <== start_index;
+    component spbt_1 = SplitBytesToWords(dsc_mod_len, n_dsc, k_dsc);
+    spbt_1.in <== shiftLeft.out;
+    for (var i = 0; i < k_dsc; i++) {
+        dsc_modulus[i] === spbt_1.out[i];
+    }
+    // generate blinded commitment
+    component sstw_2 = SplitSignalsToWords(n_dsc,k_dsc, 230, 9);
+    sstw_2.in <== dsc_modulus;
+    component poseidon = Poseidon(10);
+    poseidon.inputs[0] <== secret;
+    for (var i = 0; i < 9; i++) {
+        poseidon.inputs[i+1] <== sstw_2.out[i];
+    }
+    blinded_dsc_commitment <== poseidon.out;
+}
+
diff --git a/circuits/circuits/dsc.circom → circuits/circuits/dsc/dsc_sha256_rsa.circom b/circuits/circuits/dsc.circom → circuits/circuits/dsc/dsc_sha256_rsa.circom
@@ -6,12 +6,12 @@ include "circomlib/circuits/comparators.circom";
 include "@zk-email/circuits/lib/sha.circom";
 include "@zk-email/circuits/lib/rsa.circom";
 include "binary-merkle-root.circom";
-include "./utils/splitBytesToWords.circom";
-include "./utils/splitSignalsToWords.circom";
-include "./utils/leafHasher.circom";
-include "./utils/leafHasher2.circom";
+include "../utils/splitBytesToWords.circom";
+include "../utils/splitSignalsToWords.circom";
+include "../utils/leafHasher.circom";
+include "../utils/leafHasher.circom";
 
-template DSC(max_cert_bytes, n_dsc, k_dsc, n_csca, k_csca, dsc_mod_len, nLevels ) {
+template DSC_SHA256_RSA(max_cert_bytes, n_dsc, k_dsc, n_csca, k_csca, dsc_mod_len, nLevels ) {
     signal input raw_dsc_cert[max_cert_bytes]; 
     signal input raw_dsc_cert_padded_bytes;
     signal input csca_modulus[k_csca];
@@ -26,13 +26,9 @@ template DSC(max_cert_bytes, n_dsc, k_dsc, n_csca, k_csca, dsc_mod_len, nLevels
 
     signal output blinded_dsc_commitment;
 
-    // verify the leaf
-    // component leafHasher = LeafHasher(k_csca);
-    // leafHasher.in <== csca_modulus;
-    // signal leaf <== leafHasher.out;
-    component leafHasher2 = LeafHasher2(n_csca,k_csca);
-    leafHasher2.in <== csca_modulus;
-    signal leaf <== leafHasher2.out;
+    component leafHasher = LeafHasher(n_csca,k_csca);
+    leafHasher.in <== csca_modulus;
+    signal leaf <== leafHasher.out;
 
 
     signal computed_merkle_root <== BinaryMerkleRoot(nLevels)(leaf, nLevels, path, siblings);
@@ -45,31 +41,16 @@ template DSC(max_cert_bytes, n_dsc, k_dsc, n_csca, k_csca, dsc_mod_len, nLevels
 
     // hash raw TBS certificate
     signal sha[256] <== Sha256Bytes(max_cert_bytes)(raw_dsc_cert, raw_dsc_cert_padded_bytes);
-
-    var msg_len = (256+n_csca)\n_csca;
-    component base_msg[msg_len];
-    for (var i = 0; i < msg_len; i++) {
-        base_msg[i] = Bits2Num(n_csca);
-    }
+    component sstw_1 = SplitSignalsToWords(1,256, n_csca, k_csca);
     for (var i = 0; i < 256; i++) {
-        base_msg[i\n_csca].in[i%n_csca] <== sha[255 - i];
-    }
-    for (var i = 256; i < n_csca*msg_len; i++) {
-        base_msg[i\n_csca].in[i%n_csca] <== 0;
+        sstw_1.in[i] <== sha[255 - i];
     }
 
     // verify RSA dsc_signature
     component rsa = RSAVerifier65537(n_csca, k_csca);
-    for (var i = 0; i < msg_len; i++) {
-        rsa.message[i] <== base_msg[i].out;
-    }
-    for (var i = msg_len; i < k_csca; i++) {
-        rsa.message[i] <== 0;
-    }
     for (var i = 0; i < k_csca; i++) {
+        rsa.message[i] <== sstw_1.out[i];
         rsa.modulus[i] <== csca_modulus[i];
-    }
-    for (var i = 0; i < k_csca; i++) {
         rsa.signature[i] <== dsc_signature[i];
     }
 
@@ -83,12 +64,12 @@ template DSC(max_cert_bytes, n_dsc, k_dsc, n_csca, k_csca, dsc_mod_len, nLevels
         dsc_modulus[i] === spbt_1.out[i];
     }
     // generate blinded commitment
-    component spbt_2 = SplitSignalsToWords(n_dsc,k_dsc, 230, 9);
-    spbt_2.in <== dsc_modulus;
+    component sstw_2 = SplitSignalsToWords(n_dsc,k_dsc, 230, 9);
+    sstw_2.in <== dsc_modulus;
     component poseidon = Poseidon(10);
     poseidon.inputs[0] <== secret;
     for (var i = 0; i < 9; i++) {
-        poseidon.inputs[i+1] <== spbt_2.out[i];
+        poseidon.inputs[i+1] <== sstw_2.out[i];
     }
     blinded_dsc_commitment <== poseidon.out;
 }

diff --git a/...s/circuits/dsc_sha256WithRSASSAPSS.circom → ...its/circuits/dsc/dsc_sha256_rsapss.circom b/...s/circuits/dsc_sha256WithRSASSAPSS.circom → ...its/circuits/dsc/dsc_sha256_rsapss.circom
@@ -4,12 +4,14 @@ include "circomlib/circuits/bitify.circom";
 include "circomlib/circuits/poseidon.circom";
 include "circomlib/circuits/comparators.circom";
 include "@zk-email/circuits/lib/sha.circom";
-include "./utils/RSASSAPSS_padded.circom";
 include "binary-merkle-root.circom";
-include "./utils/splitBytesToWords.circom";
-include "./utils/splitSignalsToWords.circom";
+include "../utils/splitBytesToWords.circom";
+include "../utils/splitSignalsToWords.circom";
+include "../utils/RSASSAPSS_padded.circom";
+include "../utils/leafHasher.circom";
 
-template DSC(max_cert_bytes, n_dsc, k_dsc, n_csca, k_csca, dsc_mod_len, nLevels ) {
+
+template DSC_SHA256_RSAPSS(max_cert_bytes, n_dsc, k_dsc, n_csca, k_csca, dsc_mod_len, nLevels ) {
     signal input raw_dsc_cert[max_cert_bytes]; 
     signal input raw_dsc_cert_padded_bytes;
     signal input csca_modulus[k_csca];
@@ -25,33 +27,19 @@ template DSC(max_cert_bytes, n_dsc, k_dsc, n_csca, k_csca, dsc_mod_len, nLevels
     signal output blinded_dsc_commitment;
 
     // verify the leaf
+    component leafHasher = LeafHasher(n_csca,k_csca);
+    leafHasher.in <== csca_modulus;
+    signal leaf <== leafHasher.out;
 
-
-    // component poseidon16first = Poseidon(16);
-    // component poseidon16next = Poseidon(16);
-    // component poseidon2last = Poseidon(2);
-    // component poseidonfinal = Poseidon(3);
-    // for (var i = 0; i < 16; i++) {
-    //     poseidon16first.inputs[i] <== csca_modulus[i];
-    //     poseidon16next.inputs[i] <== csca_modulus[i+16];
-    // }
-    // poseidon2last.inputs[0] <== csca_modulus[32];
-    // poseidon2last.inputs[1] <== csca_modulus[33];
-    // poseidonfinal.inputs[0] <== poseidon16first.out;
-    // poseidonfinal.inputs[1] <== poseidon16next.out;
-    // poseidonfinal.inputs[2] <== poseidon2last.out;
-    // signal leaf <== poseidonfinal.out;
-
-
-    // signal computed_merkle_root <== BinaryMerkleRoot(nLevels)(leaf, nLevels, path, siblings);
-    // merkle_root === computed_merkle_root;
+    signal computed_merkle_root <== BinaryMerkleRoot(nLevels)(leaf, nLevels, path, siblings);
+    merkle_root === computed_merkle_root;
 
     // variables verification
     assert(max_cert_bytes % 64 == 0);
     assert(n_csca * k_csca > max_cert_bytes);
     assert(n_csca <= (255 \ 2));
 
-        // decode signature to get encoded message
+    // decode signature to get encoded message
     component rsaDecode = RSASSAPSS_Decode(n_csca, k_csca);
     rsaDecode.signature <== dsc_signature;
     rsaDecode.modulus <== csca_modulus;
@@ -73,12 +61,12 @@ template DSC(max_cert_bytes, n_dsc, k_dsc, n_csca, k_csca, dsc_mod_len, nLevels
         dsc_modulus[i] === spbt_1.out[i];
     }
     // generate blinded commitment
-    component spbt_2 = SplitSignalsToWords(n_dsc,k_dsc, 230, 9);
-    spbt_2.in <== dsc_modulus;
+    component sstw_1 = SplitSignalsToWords(n_dsc,k_dsc, 230, 9);
+    sstw_1.in <== dsc_modulus;
     component poseidon = Poseidon(10);
     poseidon.inputs[0] <== secret;
     for (var i = 0; i < 9; i++) {
-        poseidon.inputs[i+1] <== spbt_2.out[i];
+        poseidon.inputs[i+1] <== sstw_1.out[i];
     }
     blinded_dsc_commitment <== poseidon.out;
 }