2020-08-27 16:46:49 +03:00
|
|
|
include "./poseidon_constants.circom";
|
2019-06-04 14:40:15 +03:00
|
|
|
|
|
|
|
template Sigma() {
|
|
|
|
signal input in;
|
|
|
|
signal output out;
|
|
|
|
|
|
|
|
signal in2;
|
|
|
|
signal in4;
|
|
|
|
|
|
|
|
in2 <== in*in;
|
|
|
|
in4 <== in2*in2;
|
|
|
|
|
|
|
|
out <== in4*in;
|
|
|
|
}
|
|
|
|
|
2020-08-09 18:13:04 +03:00
|
|
|
template Ark(t, C, r) {
|
2019-06-04 14:40:15 +03:00
|
|
|
signal input in[t];
|
|
|
|
signal output out[t];
|
2020-08-09 18:13:04 +03:00
|
|
|
|
2019-06-04 14:40:15 +03:00
|
|
|
for (var i=0; i<t; i++) {
|
2020-08-09 18:13:04 +03:00
|
|
|
out[i] <== in[i] + C[i + r];
|
2019-06-04 14:40:15 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
template Mix(t, M) {
|
|
|
|
signal input in[t];
|
|
|
|
signal output out[t];
|
2019-12-14 22:32:45 +03:00
|
|
|
|
2020-08-09 18:13:04 +03:00
|
|
|
var lc;
|
|
|
|
for (var i=0; i<t; i++) {
|
2019-06-04 14:40:15 +03:00
|
|
|
lc = 0;
|
2020-08-09 18:13:04 +03:00
|
|
|
for (var j=0; j<t; j++) {
|
|
|
|
lc += M[j][i]*in[j];
|
2019-06-04 14:40:15 +03:00
|
|
|
}
|
|
|
|
out[i] <== lc;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-08-09 18:13:04 +03:00
|
|
|
template Poseidon(nInputs) {
|
2019-06-04 14:40:15 +03:00
|
|
|
signal input inputs[nInputs];
|
|
|
|
signal output out;
|
|
|
|
|
2020-08-27 16:46:49 +03:00
|
|
|
// Using recommended parameters from whitepaper https://eprint.iacr.org/2019/458.pdf (table 2, table 8)
|
|
|
|
// Generated by https://extgit.iaik.tugraz.at/krypto/hadeshash/-/blob/master/code/calc_round_numbers.py
|
|
|
|
// And rounded up to nearest integer that divides by t
|
2020-08-09 18:13:04 +03:00
|
|
|
var N_ROUNDS_P[8] = [56, 57, 56, 60, 60, 63, 64, 63];
|
|
|
|
var t = nInputs + 1;
|
|
|
|
var nRoundsF = 8;
|
|
|
|
var nRoundsP = N_ROUNDS_P[t - 2];
|
2020-08-27 16:46:49 +03:00
|
|
|
var C[t*(nRoundsF + nRoundsP)] = POSEIDON_C(t);
|
|
|
|
var M[t][t] = POSEIDON_M(t);
|
2020-08-09 18:13:04 +03:00
|
|
|
|
|
|
|
component ark[nRoundsF + nRoundsP - 1];
|
|
|
|
component sigmaF[nRoundsF - 1][t];
|
2019-06-04 14:40:15 +03:00
|
|
|
component sigmaP[nRoundsP];
|
2020-08-09 18:13:04 +03:00
|
|
|
component mix[nRoundsF + nRoundsP - 1];
|
2019-06-04 14:40:15 +03:00
|
|
|
|
|
|
|
var k;
|
|
|
|
|
2020-08-09 18:13:04 +03:00
|
|
|
for (var i=0; i<nRoundsF + nRoundsP - 1; i++) {
|
|
|
|
ark[i] = Ark(t, C, t*i);
|
|
|
|
for (var j=0; j<t; j++) {
|
2019-06-04 14:40:15 +03:00
|
|
|
if (i==0) {
|
|
|
|
if (j<nInputs) {
|
|
|
|
ark[i].in[j] <== inputs[j];
|
|
|
|
} else {
|
|
|
|
ark[i].in[j] <== 0;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
ark[i].in[j] <== mix[i-1].out[j];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-08-09 18:13:04 +03:00
|
|
|
if (i < nRoundsF/2 || i >= nRoundsP + nRoundsF/2) {
|
|
|
|
k = i < nRoundsF/2 ? i : i - nRoundsP;
|
|
|
|
mix[i] = Mix(t, M);
|
|
|
|
for (var j=0; j<t; j++) {
|
2019-06-04 14:40:15 +03:00
|
|
|
sigmaF[k][j] = Sigma();
|
|
|
|
sigmaF[k][j].in <== ark[i].out[j];
|
|
|
|
mix[i].in[j] <== sigmaF[k][j].out;
|
|
|
|
}
|
|
|
|
} else {
|
2020-08-09 18:13:04 +03:00
|
|
|
k = i - nRoundsF/2;
|
|
|
|
mix[i] = Mix(t, M);
|
2019-06-04 14:40:15 +03:00
|
|
|
sigmaP[k] = Sigma();
|
|
|
|
sigmaP[k].in <== ark[i].out[0];
|
|
|
|
mix[i].in[0] <== sigmaP[k].out;
|
2020-08-09 18:13:04 +03:00
|
|
|
for (var j=1; j<t; j++) {
|
2019-06-04 14:40:15 +03:00
|
|
|
mix[i].in[j] <== ark[i].out[j];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-08-09 18:13:04 +03:00
|
|
|
// last round is done only for the first word, so we do it manually to save constraints
|
|
|
|
component lastSigmaF = Sigma();
|
|
|
|
lastSigmaF.in <== mix[nRoundsF + nRoundsP - 2].out[0] + C[t*(nRoundsF + nRoundsP - 1)];
|
|
|
|
out <== lastSigmaF.out;
|
2019-06-04 14:40:15 +03:00
|
|
|
}
|