2018-12-16 13:27:29 +03:00
|
|
|
/*
|
|
|
|
Copyright 2018 0KIMS association.
|
|
|
|
|
|
|
|
This file is part of circom (Zero Knowledge Circuit Compiler).
|
|
|
|
|
|
|
|
circom is a free software: you can redistribute it and/or modify it
|
|
|
|
under the terms of the GNU General Public License as published by
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
circom is distributed in the hope that it will be useful, but WITHOUT
|
|
|
|
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
|
|
|
|
License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
along with circom. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
*/
|
2018-11-27 18:03:57 +03:00
|
|
|
|
|
|
|
include "montgomery.circom";
|
|
|
|
include "babyjub.circom";
|
2019-09-05 18:10:20 +03:00
|
|
|
include "comparators.circom";
|
2018-11-27 18:03:57 +03:00
|
|
|
|
|
|
|
template Multiplexor2() {
|
|
|
|
signal input sel;
|
|
|
|
signal input in[2][2];
|
|
|
|
signal output out[2];
|
|
|
|
|
|
|
|
out[0] <== (in[1][0] - in[0][0])*sel + in[0][0];
|
|
|
|
out[1] <== (in[1][1] - in[0][1])*sel + in[0][1];
|
|
|
|
}
|
|
|
|
|
2018-11-27 20:30:33 +03:00
|
|
|
template BitElementMulAny() {
|
2018-11-27 18:03:57 +03:00
|
|
|
signal input sel;
|
|
|
|
signal input dblIn[2];
|
|
|
|
signal input addIn[2];
|
|
|
|
signal output dblOut[2];
|
|
|
|
signal output addOut[2];
|
|
|
|
|
|
|
|
component doubler = MontgomeryDouble();
|
|
|
|
component adder = MontgomeryAdd();
|
|
|
|
component selector = Multiplexor2();
|
|
|
|
|
|
|
|
|
|
|
|
sel ==> selector.sel;
|
|
|
|
|
|
|
|
dblIn[0] ==> doubler.in[0];
|
|
|
|
dblIn[1] ==> doubler.in[1];
|
|
|
|
doubler.out[0] ==> adder.in1[0];
|
|
|
|
doubler.out[1] ==> adder.in1[1];
|
|
|
|
addIn[0] ==> adder.in2[0];
|
|
|
|
addIn[1] ==> adder.in2[1];
|
|
|
|
addIn[0] ==> selector.in[0][0];
|
|
|
|
addIn[1] ==> selector.in[0][1];
|
|
|
|
adder.out[0] ==> selector.in[1][0];
|
|
|
|
adder.out[1] ==> selector.in[1][1];
|
|
|
|
|
|
|
|
doubler.out[0] ==> dblOut[0];
|
|
|
|
doubler.out[1] ==> dblOut[1];
|
|
|
|
selector.out[0] ==> addOut[0];
|
|
|
|
selector.out[1] ==> addOut[1];
|
|
|
|
}
|
|
|
|
|
|
|
|
// p is montgomery point
|
|
|
|
// n must be <= 248
|
|
|
|
// returns out in twisted edwards
|
|
|
|
// Double is in montgomery to be linked;
|
|
|
|
|
2018-11-27 20:30:33 +03:00
|
|
|
template SegmentMulAny(n) {
|
2018-11-27 18:03:57 +03:00
|
|
|
signal input e[n];
|
|
|
|
signal input p[2];
|
|
|
|
signal output out[2];
|
|
|
|
signal output dbl[2];
|
|
|
|
|
|
|
|
component bits[n-1];
|
|
|
|
|
|
|
|
component e2m = Edwards2Montgomery();
|
|
|
|
|
|
|
|
p[0] ==> e2m.in[0];
|
|
|
|
p[1] ==> e2m.in[1];
|
|
|
|
|
|
|
|
var i;
|
|
|
|
|
2018-11-27 20:30:33 +03:00
|
|
|
bits[0] = BitElementMulAny();
|
2018-11-27 18:03:57 +03:00
|
|
|
e2m.out[0] ==> bits[0].dblIn[0]
|
|
|
|
e2m.out[1] ==> bits[0].dblIn[1]
|
|
|
|
e2m.out[0] ==> bits[0].addIn[0]
|
|
|
|
e2m.out[1] ==> bits[0].addIn[1]
|
|
|
|
e[1] ==> bits[0].sel;
|
|
|
|
|
|
|
|
for (i=1; i<n-1; i++) {
|
2018-11-27 20:30:33 +03:00
|
|
|
bits[i] = BitElementMulAny();
|
2018-11-27 18:03:57 +03:00
|
|
|
|
|
|
|
bits[i-1].dblOut[0] ==> bits[i].dblIn[0]
|
|
|
|
bits[i-1].dblOut[1] ==> bits[i].dblIn[1]
|
|
|
|
bits[i-1].addOut[0] ==> bits[i].addIn[0]
|
|
|
|
bits[i-1].addOut[1] ==> bits[i].addIn[1]
|
|
|
|
e[i+1] ==> bits[i].sel;
|
|
|
|
}
|
|
|
|
|
|
|
|
bits[n-2].dblOut[0] ==> dbl[0];
|
|
|
|
bits[n-2].dblOut[1] ==> dbl[1];
|
|
|
|
|
|
|
|
component m2e = Montgomery2Edwards();
|
|
|
|
|
|
|
|
bits[n-2].addOut[0] ==> m2e.in[0];
|
|
|
|
bits[n-2].addOut[1] ==> m2e.in[1];
|
|
|
|
|
|
|
|
component eadder = BabyAdd();
|
|
|
|
|
|
|
|
m2e.out[0] ==> eadder.x1;
|
|
|
|
m2e.out[1] ==> eadder.y1;
|
|
|
|
-p[0] ==> eadder.x2;
|
|
|
|
p[1] ==> eadder.y2;
|
|
|
|
|
|
|
|
component lastSel = Multiplexor2();
|
|
|
|
|
|
|
|
e[0] ==> lastSel.sel;
|
|
|
|
eadder.xout ==> lastSel.in[0][0];
|
|
|
|
eadder.yout ==> lastSel.in[0][1];
|
|
|
|
m2e.out[0] ==> lastSel.in[1][0];
|
|
|
|
m2e.out[1] ==> lastSel.in[1][1];
|
|
|
|
|
|
|
|
lastSel.out[0] ==> out[0];
|
|
|
|
lastSel.out[1] ==> out[1];
|
|
|
|
}
|
|
|
|
|
|
|
|
// This function assumes that p is in the subgroup and it is different to 0
|
|
|
|
|
|
|
|
template EscalarMulAny(n) {
|
|
|
|
signal input e[n]; // Input in binary format
|
|
|
|
signal input p[2]; // Point (Twisted format)
|
|
|
|
signal output out[2]; // Point (Twisted format)
|
|
|
|
|
|
|
|
var nsegments = (n-1)\148 +1;
|
|
|
|
var nlastsegment = n - (nsegments-1)*148;
|
|
|
|
|
|
|
|
component segments[nsegments];
|
|
|
|
component doublers[nsegments-1];
|
|
|
|
component m2e[nsegments-1];
|
|
|
|
component adders[nsegments-1];
|
2019-09-05 18:10:20 +03:00
|
|
|
component zeropoint = IsZero();
|
|
|
|
zeropoint.in <== p[0];
|
2018-11-27 18:03:57 +03:00
|
|
|
|
|
|
|
var s;
|
|
|
|
var i;
|
|
|
|
var nseg;
|
|
|
|
|
|
|
|
for (s=0; s<nsegments; s++) {
|
|
|
|
|
|
|
|
nseg = (s < nsegments-1) ? 148 : nlastsegment;
|
|
|
|
|
2018-11-27 20:30:33 +03:00
|
|
|
segments[s] = SegmentMulAny(nseg);
|
2018-11-27 18:03:57 +03:00
|
|
|
|
|
|
|
for (i=0; i<nseg; i++) {
|
|
|
|
e[s*148+i] ==> segments[s].e[i];
|
|
|
|
}
|
|
|
|
|
|
|
|
if (s==0) {
|
2019-09-05 18:10:20 +03:00
|
|
|
// force G8 point if input point is zero
|
|
|
|
segments[s].p[0] <== p[0] + (5299619240641551281634865583518297030282874472190772894086521144482721001553 - p[0])*zeropoint.out;
|
|
|
|
segments[s].p[1] <== p[1] + (16950150798460657717958625567821834550301663161624707787222815936182638968203 - p[1])*zeropoint.out;
|
2018-11-27 18:03:57 +03:00
|
|
|
} else {
|
|
|
|
doublers[s-1] = MontgomeryDouble();
|
|
|
|
m2e[s-1] = Montgomery2Edwards();
|
|
|
|
adders[s-1] = BabyAdd();
|
|
|
|
|
|
|
|
segments[s-1].dbl[0] ==> doublers[s-1].in[0];
|
|
|
|
segments[s-1].dbl[1] ==> doublers[s-1].in[1];
|
|
|
|
|
|
|
|
doublers[s-1].out[0] ==> m2e[s-1].in[0];
|
|
|
|
doublers[s-1].out[1] ==> m2e[s-1].in[1];
|
|
|
|
|
|
|
|
m2e[s-1].out[0] ==> segments[s].p[0];
|
|
|
|
m2e[s-1].out[1] ==> segments[s].p[1];
|
|
|
|
|
|
|
|
if (s==1) {
|
|
|
|
segments[s-1].out[0] ==> adders[s-1].x1;
|
|
|
|
segments[s-1].out[1] ==> adders[s-1].y1;
|
|
|
|
} else {
|
|
|
|
adders[s-2].xout ==> adders[s-1].x1;
|
|
|
|
adders[s-2].yout ==> adders[s-1].y1;
|
|
|
|
}
|
|
|
|
segments[s].out[0] ==> adders[s-1].x2;
|
|
|
|
segments[s].out[1] ==> adders[s-1].y2;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nsegments == 1) {
|
2019-09-05 18:10:20 +03:00
|
|
|
segments[0].out[0]*(1-zeropoint.out) ==> out[0];
|
|
|
|
segments[0].out[1]+(1-segments[0].out[1])*zeropoint.out ==> out[1];
|
2018-11-27 18:03:57 +03:00
|
|
|
} else {
|
2019-09-05 18:10:20 +03:00
|
|
|
adders[nsegments-2].xout*(1-zeropoint.out) ==> out[0];
|
|
|
|
adders[nsegments-2].yout+(1-adders[nsegments-2].yout)*zeropoint.out ==> out[1];
|
2018-11-27 18:03:57 +03:00
|
|
|
}
|
|
|
|
}
|