clearmatics · AntoineRondelet · Oct 21, 2019 · Aug 29, 2019 · Sep 11, 2019 · Sep 12, 2019
diff --git a/pyClient/zethGRPC.py b/pyClient/zethGRPC.py
@@ -1,11 +1,11 @@
 from Crypto import Random
 import os
 import json
-import hashlib
 import sys
 
-# Access the encoding functions
+# Access the encoding and hash functions
 from eth_abi import encode_single, encode_abi
+from hashlib import blake2s, sha256
 
 # Access the gRPC service and the proto messages
 import grpc
@@ -55,7 +55,7 @@ def hex32bytes(element):
     res = "00"*int((64-len(res))/2) + res
     return res
 
-# Compute h_sig = sha256(randomSeed, nf0, nf1, joinSplitPubKey)
+# Compute h_sig = blake2s(randomSeed, nf0, nf1, joinSplitPubKey)
 def computeHSig(randomSeed, nf0, nf1, joinSplitPubKey):
     # Flatten the verification key
     JSPubKeyHex = [item for sublist in joinSplitPubKey for item in sublist]
@@ -65,7 +65,7 @@ def computeHSig(randomSeed, nf0, nf1, joinSplitPubKey):
         # For each element of the list, convert it to an hex and append it
         vk_hex += hex32bytes( "{0:0>4X}".format(int(item)) )
 
-    h_sig = hashlib.sha256(
+    h_sig = blake2s(
         encode_abi(['bytes32', 'bytes32', 'bytes32', 'bytes'], (bytes.fromhex(randomSeed), bytes.fromhex(nf0), bytes.fromhex(nf1), bytes.fromhex(vk_hex)) )
     ).hexdigest()
 
@@ -82,7 +82,7 @@ def transactionRandomness():
     return rand_phi
 
 # Compute the note randomness: the trapdoor trapR and rho.
-# Starting the Non-Maleability update, rho is computed from phi (see above),
+# Starting the Non-Malleability update, rho is computed from phi (see above),
 # the rho generated in this function is thus obsolete except for dummy input notes.
 def noteRandomness():
     rand_rho = bytes(Random.get_random_bytes(32)).hex()
@@ -153,20 +153,20 @@ def hexFmt(string):
 # Used by the recipient of a payment to recompute the commitment and check the membership in the tree
 # to confirm the validity of a payment
 def computeCommitment(zethNoteGRPCObj):
-    # inner_k = sha256(a_pk || rho)
-    inner_k = hashlib.sha256(
+    # inner_k = blake2s(a_pk || rho)
+    inner_k = blake2s(
         encode_abi(['bytes32', 'bytes32'], (bytes.fromhex(zethNoteGRPCObj.aPK), bytes.fromhex(zethNoteGRPCObj.rho)))
     ).hexdigest()
 
-    # outer_k = sha256(r || [inner_k]_128)
+    # outer_k = blake2s(r || [inner_k]_128)
     first128InnerComm = inner_k[0:128]
-    outer_k = hashlib.sha256(
+    outer_k = blake2s(
         encode_abi(['bytes', 'bytes'], (bytes.fromhex(zethNoteGRPCObj.trapR), bytes.fromhex(first128InnerComm)))
     ).hexdigest()
 
-    # cm = sha256(outer_k || 0^192 || value_v)
+    # cm = blake2s(outer_k || 0^192 || value_v)
     frontPad = "000000000000000000000000000000000000000000000000"
-    cm = hashlib.sha256(
+    cm = blake2s(
         encode_abi(["bytes32", "bytes32"], (bytes.fromhex(outer_k), bytes.fromhex(frontPad + zethNoteGRPCObj.value)))
     ).hexdigest()
     return cm
@@ -175,18 +175,18 @@ def hexadecimalDigestToBinaryString(digest):
     binary = lambda x: "".join(reversed( [i+j for i,j in zip( *[ ["{0:04b}".format(int(c,16)) for c in reversed("0"+x)][n::2] for n in [1,0]])]))
     return binary(digest)
 
-# Returns nf = sha256(1110 || [a_sk]_252 || rho)
+# Returns nf = blake2s(1110 || [a_sk]_252 || rho)
 def computeNullifier(zethNote, spendingAuthAsk):
     binaryAsk = hexadecimalDigestToBinaryString(spendingAuthAsk)
     first252Ask = binaryAsk[:252]
     leftLegBin = "1110" + first252Ask
     leftLegHex = "{0:0>4X}".format(int(leftLegBin, 2))
-    nullifier = hashlib.sha256(
+    nullifier = blake2s(
         encode_abi(["bytes32", "bytes32"], [bytes.fromhex(leftLegHex), bytes.fromhex(zethNote.rho)])
     ).hexdigest()
     return nullifier
 
-# Returns h_i = sha256(0 || i || 00 || [a_sk]_252 || hsig)
+# Returns h_i = blake2s(0 || i || 00 || [a_sk]_252 || hsig)
 # See: Zcash protocol spec p. 57, Section 5.4.2 Pseudo Random Functions
 def computeHi(ask, hsig, i):
     # [SANITY CHECK] make sure i is in the interval [0, 1]
@@ -200,13 +200,12 @@ def computeHi(ask, hsig, i):
     leftLegBin = "0" + str(i) + "00" + first252Ask
     leftLegHex = "{0:0>4X}".format(int(leftLegBin, 2))
 
-    print(encode_abi(["bytes32", "bytes32"], [bytes.fromhex(leftLegHex), bytes.fromhex(hsig)]))
-    h_i = hashlib.sha256(
+    h_i = blake2s(
         encode_abi(["bytes32", "bytes32"], [bytes.fromhex(leftLegHex), bytes.fromhex(hsig)])
     ).hexdigest()
     return h_i
 
-# Returns rho_i = sha256(0 || i || 10 || [phi]_252 || hsig)
+# Returns rho_i = blake2s(0 || i || 10 || [phi]_252 || hsig)
 # See: Zcash protocol spec p. 57, Section 5.4.2 Pseudo Random Functions
 def computeRhoi(phi, hsig, i):
     # [SANITY CHECK] make sure i is in the interval [0, 1]
@@ -220,22 +219,22 @@ def computeRhoi(phi, hsig, i):
     leftLegBin = "0" + str(i) + "10" + first252Phi
     leftLegHex = "{0:0>4X}".format(int(leftLegBin, 2))
 
-    rho_i = hashlib.sha256(
+    rho_i = blake2s(
         encode_abi(["bytes32", "bytes32"], [bytes.fromhex(leftLegHex), bytes.fromhex(hsig)])
     ).hexdigest()
     return rho_i
 
 def int64ToHexadecimal(number):
     return '{:016x}'.format(number)
 
-# Returns a_pk = sha256(1100 || [a_sk]_252 || 0^256)
+# Returns a_pk = blake2s(1100 || [a_sk]_252 || 0^256)
 def deriveAPK(ask):
     binaryAsk = hexadecimalDigestToBinaryString(ask)
     first252Ask = binaryAsk[:252]
     leftLegBin = "1100" + first252Ask
     leftLegHex = "{0:0>4X}".format(int(leftLegBin, 2))
     zeroes = "0000000000000000000000000000000000000000000000000000000000000000"
-    a_pk = hashlib.sha256(
+    a_pk = blake2s(
         encode_abi(["bytes32", "bytes32"], [bytes.fromhex(leftLegHex), bytes.fromhex(zeroes)])
     ).hexdigest()
     return a_pk
@@ -412,7 +411,7 @@ def sign(keypair, hash_ciphers, hash_proof, hash_inputs):
         bytes.fromhex(hash_ciphers),
         bytes.fromhex(hash_proof),
         bytes.fromhex(hash_inputs)])
-    data_hex = hashlib.sha256(data_to_sign).hexdigest()
+    data_hex = sha256(data_to_sign).hexdigest()
 
     # Convert the hex digest into a field element
     h = int(data_hex, 16) % constants.ZETH_PRIME

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -137,14 +137,17 @@ endfunction(zeth_test)
 zeth_test(test_simple test/simple_test.cpp TRUE)
 zeth_test(test_addition test/packed_addition_test.cpp TRUE)
 zeth_test(test_hex_to_field test/hex_to_field_test.cpp TRUE)
-zeth_test(test_note test/note_test.cpp TRUE)
-zeth_test(test_prfs test/prfs_test.cpp TRUE)
-zeth_test(test_commitments test/commitments_test.cpp TRUE)
+zeth_test(test_binary_operation test/binary_operation_test.cpp TRUE)
+# zeth_test(test_sha256 test/test_sha256.cpp TRUE)
+zeth_test(test_blake2s test/blake2s_test.cpp TRUE)
 zeth_test(test_round test/round_test.cpp TRUE)
 zeth_test(test_mimc test/mimc_test.cpp TRUE)
 zeth_test(test_mimc_mp test/mimc_mp_test.cpp TRUE)
+zeth_test(test_prfs test/prfs_test.cpp TRUE)
+zeth_test(test_commitments test/commitments_test.cpp TRUE)
 zeth_test(test_merkle_tree test/merkle_tree_test.cpp TRUE)
-zeth_test(test_prover test/prover_test.cpp FALSE)
+zeth_test(test_note test/note_test.cpp TRUE)
+zeth_test(test_prover test/prover_test.cpp TRUE)
 
 # prover test has extra dependencies
 target_link_libraries(

diff --git a/src/circuit-wrapper.tcc b/src/circuit-wrapper.tcc
@@ -63,12 +63,12 @@ extended_proof<ppT> CircuitWrapper<
 
     // Compute the sum on the left hand side of the joinsplit
     for (size_t i = 0; i < NumInputs; i++) {
-        lhs_value = binaryAddition<64>(lhs_value, inputs[i].note.value());
+        lhs_value = binary_addition<64>(lhs_value, inputs[i].note.value());
     }
 
     // Compute the sum on the right hand side of the joinsplit
     for (size_t i = 0; i < NumOutputs; i++) {
-        rhs_value = binaryAddition<64>(rhs_value, outputs[i].value());
+        rhs_value = binary_addition<64>(rhs_value, outputs[i].value());
     }
 
     // [CHECK] Make sure that the balance between rhs and lfh is respected

diff --git a/src/circuits/binary_operation_gadgets.hpp b/src/circuits/binary_operation_gadgets.hpp
@@ -0,0 +1,112 @@
+#ifndef __ZETH_SIMPLE_GADGETS_HPP__
+#define __ZETH_SIMPLE_GADGETS_HPP__
+
+#include "circuits/circuits-util.hpp"
+#include "math.h"
+#include "types/bits.hpp"
+
+#include <libsnark/gadgetlib1/gadget.hpp>
+#include <libsnark/gadgetlib1/gadgets/basic_gadgets.hpp>
+
+namespace libzeth
+{
+
+/// xor_gadget computes res = a XOR b
+template<typename FieldT> class xor_gadget : public libsnark::gadget<FieldT>
+{
+
+private:
+    const libsnark::pb_variable_array<FieldT> a;
+    const libsnark::pb_variable_array<FieldT> b;
+
+public:
+    libsnark::pb_variable_array<FieldT> res;
+
+    xor_gadget(
+        libsnark::protoboard<FieldT> &pb,
+        const libsnark::pb_variable_array<FieldT> a,
+        const libsnark::pb_variable_array<FieldT> b,
+        libsnark::pb_variable_array<FieldT> res,
+        const std::string &annotation_prefix = "xor_gadget");
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+};
+
+/// xor_constant_gadget computes res = a XOR b XOR c with c constant
+template<typename FieldT>
+class xor_constant_gadget : public libsnark::gadget<FieldT>
+{
+
+private:
+    const libsnark::pb_variable_array<FieldT> a;
+    const libsnark::pb_variable_array<FieldT> b;
+    const std::vector<FieldT> c;
+
+public:
+    libsnark::pb_variable_array<FieldT> res;
+
+    xor_constant_gadget(
+        libsnark::protoboard<FieldT> &pb,
+        const libsnark::pb_variable_array<FieldT> a,
+        const libsnark::pb_variable_array<FieldT> b,
+        const std::vector<FieldT> c,
+        libsnark::pb_variable_array<FieldT> res,
+        const std::string &annotation_prefix = "xor_constant_gadget");
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+};
+
+/// xor_rot_gadget computes a XOR b and rotate it by shift
+template<typename FieldT> class xor_rot_gadget : public libsnark::gadget<FieldT>
+{
+
+private:
+    const libsnark::pb_variable_array<FieldT> a;
+    const libsnark::pb_variable_array<FieldT> b;
+    const size_t shift;
+
+public:
+    libsnark::pb_variable_array<FieldT> res;
+
+    xor_rot_gadget(
+        libsnark::protoboard<FieldT> &pb,
+        const libsnark::pb_variable_array<FieldT> a,
+        const libsnark::pb_variable_array<FieldT> b,
+        const size_t &shift,
+        libsnark::pb_variable_array<FieldT> res,
+        const std::string &annotation_prefix = "xor_rot_gadget");
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+};
+
+/// double_bit32_sum_eq_gadget checks that res = a + b % 2**32
+/// with a, b and res being 32-bit long arrays
+template<typename FieldT>
+class double_bit32_sum_eq_gadget : public libsnark::gadget<FieldT>
+{
+
+private:
+    libsnark::pb_variable_array<FieldT> a;
+    libsnark::pb_variable_array<FieldT> b;
+
+public:
+    libsnark::pb_variable_array<FieldT> res;
+
+    double_bit32_sum_eq_gadget(
+        libsnark::protoboard<FieldT> &pb,
+        libsnark::pb_variable_array<FieldT> a,
+        libsnark::pb_variable_array<FieldT> b,
+        libsnark::pb_variable_array<FieldT> res,
+        const std::string &annotation_prefix = "double_bit32_sum_eq_gadget");
+
+    void generate_r1cs_constraints(bool enforce_boolean = true);
+    void generate_r1cs_witness();
+};
+
+} // namespace libzeth
+#include "binary_operation_gadgets.tcc"
+
+#endif // __ZZETH_SIMPLE_GADGETS_HPP__