Merge pull request #1 from crema-labs/feat/ecdsa-old

Core Implementation

Author: Nesopie

.gitmodules

@@ -0,0 +1,8 @@
+[submodule "circuits/aes-circom"]
+	path = circuits/aes-circom
+	url = https://github.com/crema-labs/aes-circom.git
+
+
+[submodule "ecdsa-0xparc"]
+	path = circuits/ecdsa-0xparc
+	url = https://github.com/crema-labs/circom-ecdsa.git

.mocharc.json

@@ -2,6 +2,6 @@
   "extension": ["ts"],
   "require": "ts-node/register",
   "spec": "tests/**/*.test.ts",
-  "timeout": 100000,
+  "timeout": 100000000,
   "exit": true
 }

circuits/add.circom

@@ -0,0 +1,100 @@
+pragma circom 2.1.9;
+
+include "./ecdsa-0xparc/circuits/secp256k1.circom";
+include "./ecdsa-0xparc/circuits/ecdsa.circom";
+include "./hkdf.circom";
+include "./hmac.circom";
+include "./aes-circom/circuits/ctr.circom";
+include "./utils.circom";
+
+template Encrypt(npt,ns1,ns2){
+  signal input r[32];
+  signal input x[32];
+  signal input y[32];
+  signal input pt[npt];
+  signal input iv[16];
+  signal input s1[ns1];
+  signal input s2[ns2];
+
+  signal output pubkey[2][4];
+  signal output ct[npt];
+  signal output hmac[32];
+
+  component BytesToStrides[3];
+  for (var i = 0; i < 3; i++) {
+    BytesToStrides[i] = BytesToStrides();
+  }
+  BytesToStrides[0].in <== r;
+  BytesToStrides[1].in <== x;
+  BytesToStrides[2].in <== y;
+
+  component SK = GenSharedKey();
+  SK.r <== BytesToStrides[0].out;
+  SK.px <== BytesToStrides[1].out;
+  SK.py <== BytesToStrides[2].out;
+
+  component KG = KeyGen(ns1);
+  KG.info <== s1;
+  KG.key <== SK.out;
+
+  component AESCTR = EncryptCTR(npt,4);
+  AESCTR.plainText <== pt;
+  AESCTR.iv <== iv;
+  AESCTR.key <== KG.out[0];
+
+  component HMAC = HmacSha256(16+npt+ns2,16);
+  HMAC.key <== KG.out[1];
+  for (var i = 0; i < 16; i++) {
+    HMAC.message[i] <== iv[i];
+  }
+  for (var i = 0; i < npt; i++) {
+    HMAC.message[16+i] <== AESCTR.cipher[i];
+  }
+  for (var i = 0; i < ns2; i++) {
+    HMAC.message[16+npt+i] <== s2[i];
+  }
+
+  component PRIV2PUB = ECDSAPrivToPub(64,4);
+  PRIV2PUB.privkey <== BytesToStrides[0].out;
+
+  pubkey <== PRIV2PUB.pubkey;
+  ct <== AESCTR.cipher;
+  hmac <== HMAC.hmac;
+
+  // decryption needs pubkey.x | pubkey.y | iv | ct | hmac
+}
+
+template GenSharedKey(){
+  signal input r[4];
+  signal input px[4];
+  signal input py[4];
+
+  signal output out[32];
+
+  component scalarMul = Secp256k1ScalarMult(64,4);
+  scalarMul.scalar <== r;
+  scalarMul.point[0] <== px;
+  scalarMul.point[1] <== py;
+
+
+  component StridesToBytes = StridesToBytes();
+  StridesToBytes.in <== scalarMul.out[0];
+  
+  for(var i=0;i<32;i++){
+    out[i] <== StridesToBytes.out[31-i];
+  }
+}
+
+template KeyGen(ni){
+  signal input info[ni];
+  signal input key[32];
+
+  signal output out[2][16];
+
+  component HKDF = HKDFSha256(0,ni,32,2,16);
+
+  HKDF.info <== info;
+  HKDF.key <== key;
+
+  out <== HKDF.out;
+}

circuits/aes-circom

@@ -0,0 +1,97 @@
+pragma circom 2.1.9;
+
+include "./hmac.circom";
+
+// s : salt length
+// i : info length
+// k : key length
+// m : number of keys to extract
+// n : key length
+template HKDFSha256(s,i,k,m,n){
+  signal input salt[s];
+  signal input info[i];
+  signal input key[k];
+
+  signal output out[m][n];
+
+  component extract = Extract(s, k);
+  extract.salt <== salt;
+  extract.key <== key;
+
+  component expand = Expand(i, 32, m, n);
+  expand.info <== info;
+  expand.key <== extract.out;
+
+  out <== expand.out;
+}
+
+// s : salt length
+// k : key length
+// out : 32 bytes from sha256 hmac
+template Extract(s,k){
+  signal input salt[s];
+  signal input key[k];
+
+  component hmac = HmacSha256(k,s);
+  signal output out[32];
+
+  hmac.message <== key;
+  hmac.key <== salt;
+
+  out <== hmac.hmac;
+}
+
+// i : info length
+// k : key length
+// m : number of keys to extract
+// n : key length
+template Expand(i,k,m,n){
+  signal input info[i];
+  signal input key[k];
+  
+  var size = 32 + i + 1; // 32 bytes for hmac, i bytes for info, 1 byte for counter
+
+  // hash size is 32 bytes 
+  var rounds = (m*n)\(32);
+  rounds = (rounds * 32) < (m*n) ? rounds + 1 : rounds;
+
+
+  component hmac[rounds];
+
+  signal expandedKeys [rounds][32];
+  signal output out[m][n];
+
+  hmac[0] = HmacSha256(i+1,k);
+  hmac[0].key <== key; 
+  for (var j = 0; j < i; j++){
+      hmac[0].message[j] <== info[j];
+  }
+  hmac[0].message[i] <== 1; // here counter is byte(1)
+  expandedKeys[0] <== hmac[0].hmac;
+  
+  var counter = 2; // counter is byte(2)
+
+  for(var j = 1; j < rounds; j++){
+    hmac[j] = HmacSha256(size, k);
+    for (var o = 0; o < 32; o++){
+      hmac[j].message[o] <== expandedKeys[j-1][o];
+    }
+    for (var o = 0; o < i; o++){
+      hmac[j].message[32+o] <== info[o];
+    }
+    hmac[j].message[32+i] <== counter;
+    hmac[j].key <== key;
+    expandedKeys[j] <== hmac[j].hmac;
+    counter = counter + 1;
+  }
+
+  var byteIndex = 0;
+  for (var j = 0; j < m; j++) {
+    for (var o = 0; o < n; o++) {
+      out[j][o] <== expandedKeys[byteIndex \ 32][byteIndex % 32];
+      byteIndex++;
+    }
+  }
+}
+
+

circuits/encrypt.circom

@@ -0,0 +1,161 @@
+pragma circom 2.1.8;
+
+
+include "circomlib/circuits/bitify.circom";
+include "circomlib/circuits/sha256/sha256.circom";
+include "circomlib/circuits/comparators.circom";
+include "circomlib/circuits/gates.circom";
+include "sha256Hasher.circom";
+
+template HmacSha256(n, k) {
+    var blockSize = 64;
+    signal input message[n];
+    signal input key[k];
+    signal output hmac[32];
+
+    component keyPrep = KeyPrep(k);
+    keyPrep.in <== key;
+
+    signal keyOut[64] <== keyPrep.key;
+
+    component innerKeyXOR[blockSize];
+    component outerKeyXOR[blockSize];
+
+    for (var i = 0; i < blockSize; i++) {
+        innerKeyXOR[i] = XorByte2();
+        innerKeyXOR[i].a <== keyOut[i];
+        innerKeyXOR[i].b <== 0x36;
+
+        outerKeyXOR[i] = XorByte2();
+        outerKeyXOR[i].a <== keyOut[i];
+        outerKeyXOR[i].b <== 0x5c;
+    }
+
+    signal innerHashIn[blockSize + n];
+
+    for (var i = 0; i < blockSize; i++) {
+        innerHashIn[i] <== innerKeyXOR[i].out;
+    }
+    for (var i = 0; i < n; i++) {
+        innerHashIn[blockSize + i] <== message[i];
+    }
+
+    component innerHash = Sha256Bytes(blockSize + n);
+
+    for (var i = 0; i < blockSize + n; i++) {
+        innerHash.in[i] <== innerHashIn[i];
+    }
+
+    signal outerHashIn[blockSize + 32];
+
+    for (var i = 0; i < blockSize; i++) {
+        outerHashIn[i] <== outerKeyXOR[i].out;
+    }
+
+    
+    for (var i = 0; i < 32; i++) {
+        outerHashIn[blockSize + i] <== innerHash.out[i];
+    }
+
+    component outerHash = Sha256Bytes(blockSize + 32);
+    outerHash.in <== outerHashIn;
+    hmac <== outerHash.out;
+}
+
+
+template Concat(n1, n2) {
+    signal input in1[n1];
+    signal input in2[n2];
+    signal output out[n1+n2];
+
+    for (var i = 0; i < n1; i++) {
+        out[i] <== in1[i];
+    }
+    for (var i = 0; i < n2; i++) {
+        out[n1+i] <== in2[i];
+    }
+}
+
+template KeyPrep(k) {
+    signal input in[k];
+    signal output key[64];
+
+    signal blockSize <== 64;
+
+    signal paddingKey[k];
+    signal shaKey[64];
+
+    component sha = Sha256Bytes(k);
+    for (var i = 0; i < k; i++) {
+        sha.in[i] <== in[i];
+    }
+
+    component gtChecker = GreaterThan(8);
+    gtChecker.in[0] <== k;
+    gtChecker.in[1] <== blockSize;
+
+    component selectors[64];
+    for (var i = 0; i < 64; i++) {
+        selectors[i] = Selector();
+        selectors[i].condition <== gtChecker.out;
+
+        if (i < 32) {
+            selectors[i].in[0] <== sha.out[i];
+        } else {
+            selectors[i].in[0] <== 0;
+        }
+
+         if (i < k) {
+            selectors[i].in[1] <== in[i];
+        } else {
+            selectors[i].in[1] <== 0;
+        }
+        key[i] <== selectors[i].out;
+    }
+}
+
+template Selector() {
+    signal input condition;
+    signal input in[2];
+    signal output out;
+
+    out <== condition * (in[0] - in[1]) + in[1];
+}
+
+
+// XORs two bytes
+template XorByte2(){
+        signal input a;
+        signal input b;
+        signal output out;
+
+        component abits = Num2Bits(8);
+        abits.in <== a;
+
+        component bbits = Num2Bits(8);
+        bbits.in <== b;
+
+        component XorBits2 = XorBits2();
+        XorBits2.a <== abits.out;
+        XorBits2.b <== bbits.out;
+
+        component num = Bits2Num(8);
+        num.in <== XorBits2.out;
+
+        out <== num.out;
+}
+
+// XORs two arrays of bits
+template XorBits2(){
+        signal input a[8];
+        signal input b[8];
+        signal output out[8];
+
+    component xor[8];
+    for (var i = 0; i < 8; i++) {
+        xor[i] = XOR();
+        xor[i].a <== a[i];
+        xor[i].b <== b[i];
+        out[i] <== xor[i].out;
+    }
+}