831 lines
12 KiB
Markdown
831 lines
12 KiB
Markdown
# CircomLib/Circuits
|
|
|
|
## Description
|
|
|
|
- This folder contains circuit templates for standard operations and many cryptographic primitives.
|
|
- Below you can find specifications of each function. In the representation of elements, there are three tyes:
|
|
- Binary
|
|
- String
|
|
- Field element (the field is specified in each case. We consider 2 possible fields: Fp and Fr, where p... and r... .)
|
|
|
|
## Table of Contents
|
|
|
|
[TOC]
|
|
|
|
## Jordi
|
|
|
|
* compconstant - Returns 1 if `in` (expanded to binary array) > `ct`
|
|
* aliascheck - check if `in` (expanded to binary array) oveflowed its 254 bits (<= -1)
|
|
* babyjub - twisted Edwards curve 168700.x^2 + y^2 = 1 + 168696.x^2.y^2
|
|
* BabyAdd - (`xout`,`yout`) = (`x1`,`y1`) + (`x2`,`y2`)
|
|
* BabyDbl - (`xout`,`yout`) = 2*(`x`,`y`)
|
|
* BabyCheck - check that (`x`,`y`) is on the curve
|
|
* binsub - binary subtraction
|
|
* gates - logical gates
|
|
* mimc - SNARK-friendly hash Minimal Multiplicative Complexity.
|
|
* https://eprint.iacr.org/2016/492.pdf
|
|
* zcash/zcash#2233
|
|
* smt - Sparse Merkle Tree
|
|
* https://ethresear.ch/t/optimizing-sparse-merkle-trees/3751
|
|
* montgomery https://en.wikipedia.org/wiki/Montgomery_curve
|
|
|
|
## Circuits
|
|
|
|
### sha256
|
|
|
|
Folder containing the implementation of sha256 hash circuit.
|
|
|
|
### smt
|
|
|
|
Folder containing the circuit implementation of Sparse Merkle Trees.
|
|
|
|
### aliascheck
|
|
|
|
- `AliasCheck()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### babyjub
|
|
|
|
Arithmetic on [Baby Jubjub elliptic curve](https://github.com/barryWhiteHat/baby_jubjub) in twisted Edwards form. (TODO: Expose here the characteristics of the curve?)
|
|
|
|
|
|
- `BabyAdd()`
|
|
|
|
- DESCRIPTION
|
|
|
|
It adds two points on the Baby Jubjub curve. More specifically, given two points P1 = (`x1`, `y1`) and P2 = (`x2`, `y2`) it returns a point P3 = (`xout`, `yout`) such that
|
|
|
|
(`xout`, `yout`) = (`x1`,`y1`) + (`x2`,`y2`)
|
|
= ((`x1y2`+`y1x2`)/(1+`dx1x2y1y2`)),(`y1y2`-`ax1x2`)/(1-`dx1x2y1y2`))
|
|
|
|
- SCHEMA
|
|
```
|
|
var a var d
|
|
| |
|
|
| |
|
|
______v_________v_______
|
|
input x1 ----> | |
|
|
input y1 ----> | BabyAdd() | ----> output xout
|
|
input x2 ----> | | ----> output yout
|
|
input y2 ----> |________________________|
|
|
```
|
|
|
|
- INPUTS
|
|
|
|
| Input | Representation | Description | |
|
|
| ------------- | ------------- | ------------- | ------------- |
|
|
| `x1` | Bigint | Field element of Fp | First coordinate of a point (x1, y1) on E. |
|
|
| `y1` | Bigint | Field element of Fp | Second coordinate of a point (x1, y1) on E. |
|
|
| `x2` | Bigint | Field element of Fp | First coordinate of a point (x2, y2) on E. |
|
|
| `y2` | Bigint | Field element of Fp | Second coordinate of a point (x2, y2) on E. |
|
|
|
|
Requirement: at least `x1`!=`x2` or `y1`!=`y2`.
|
|
|
|
- OUTPUT
|
|
|
|
| Input | Representation | Description | |
|
|
| ------------- | ------------- | ------------- | ------------- |
|
|
| `xout` | Bigint | Field element of Fp | First coordinate of the addition point (xout, yout) = (x1, y1) + (x2, y2). |
|
|
| `yout` | Bigint | Field element of Fp | Second coordinate of the addition point (xout, yout) = (x1, y1) + (x2, y2). |
|
|
|
|
- BENCHMARKS (constraints)
|
|
|
|
- EXAMPLE
|
|
|
|
- `BabyDbl()`
|
|
- DESCRIPTION : doubles a point (`xout`,`yout`) = 2*(`x`,`y`).
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `BabyCheck()`
|
|
|
|
- DESCRIPTION : checks if a given point is in the curve.
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `BabyPbk()`
|
|
|
|
- DESCRIPTION: : given a private key, it returns the associated public key.
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
|
|
### binsub
|
|
|
|
- `BinSub(n)`
|
|
|
|
- DESCRIPTION: binary substraction.
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### binsum
|
|
|
|
- `nbits(a)`
|
|
|
|
- DESCRIPTION : binary sum.
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `BinSum(n, ops)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### bitify
|
|
|
|
- `Num2Bits()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Num2Bits_strict()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Bits2Num()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Bits2Num_strict()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Num2BitsNeg()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### comparators
|
|
|
|
- `IsZero() `
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `IsEqual()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `ForceEqualIfEnabled()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `LessThan()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `GreaterThan()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `GreaterEqThan()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### compconstant
|
|
|
|
- `CompConstant(ct)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### eddsa
|
|
|
|
Edwards Digital Signature Algorithm in Baby Jubjbub (link a eddsa)
|
|
|
|
- `EdDSAVerifier(n)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### eddsamimc
|
|
|
|
- `EdDSAMiMCVerifier()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### eddsamimcsponge
|
|
|
|
- `EdDSAMiMCSpongeVerifier()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### eddsaposeidon
|
|
|
|
- `EdDSAPoseidonVerifier()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### escalarmul
|
|
|
|
- `EscalarMulWindow(base, k)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `EscalarMul(n, base)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### escalarmulany
|
|
|
|
- `Multiplexor2()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `BitElementMulAny()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `SegmentMulAny(n)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `EscalarMulAny(n)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### escalarmulfix
|
|
|
|
- `WindowMulFix()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `SegmentMulFix(nWindows)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `EscalarMulFix(n, BASE)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### escalarmulw4table
|
|
|
|
- `pointAdd`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `EscalarMulW4Table`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### gates
|
|
|
|
- `XOR`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `AND`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `OR`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `NOT`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `NAND`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `NOR`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `MultiAND`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### mimc
|
|
|
|
Implementation of MiMC-7 hash in Fp being... (link to description of the hash)
|
|
|
|
- `MiMC7(nrounds)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `MultiMiMC7(nInputs, nRounds)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### mimcsponge
|
|
|
|
- `MiMCSponge(nInputs, nRounds, nOutputs)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `MiMCFeistel(nrounds)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### montgomery
|
|
|
|
- `Edwards2Montgomery()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Montgomery2Edwards()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `MontgomeryAdd()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `MontgomeryDouble()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### multiplexer
|
|
|
|
- `log2(a)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `EscalarProduct(w)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Decoder(w)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Multiplexer(wIn, nIn)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### mux1
|
|
|
|
- `MultiMux1(n)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Mux1()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### mux2
|
|
|
|
- `MultiMux2(n)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Mux2()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### mux3
|
|
|
|
- `MultiMux3(n)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Mux3()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### mux4
|
|
|
|
- `MultiMux4(n)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Mux4()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### pedersen_old
|
|
|
|
Old version of the Pedersen hash (do not use any
|
|
more?).
|
|
|
|
### pedersen
|
|
|
|
- `Window4()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Segment(nWindows)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Pedersen(n)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### pointbits
|
|
|
|
- `sqrt(n)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Bits2Point()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Bits2Point_Strict()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Point2Bits`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Point2Bits_Strict`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### poseidon
|
|
|
|
Implementation of Poseidon hash function (LINK)
|
|
|
|
- `Sigma()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Ark(t, C)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Mix(t, M)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
- `Poseidon(nInputs, t, nRoundsF, nRoundsP)`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### sign
|
|
|
|
- `Sign()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|
|
|
|
### switcher
|
|
|
|
- `Switcher()`
|
|
|
|
- DESCRIPTION
|
|
- SCHEMA
|
|
- INPUT
|
|
- OUTPUT
|
|
- BENCHMARKS
|
|
- EXAMPLE
|