clearmatics · vesselinux · Oct 24, 2022 · Jun 24, 2022 · Jun 24, 2022 · Jun 24, 2022
diff --git a/.gitignore b/.gitignore
@@ -50,3 +50,6 @@ libsnark/zk_proof_systems/zksnark/ram_zksnark/tests/test_ram_zksnark
 
 build
 *~
+TAGS
+.dir-locals.el
+scripts/anemoi-hash/__pycache__
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -25,7 +25,7 @@ set(
   "BN128"
   CACHE
   STRING
-  "Default curve: one of ALT_BN128, BN128, EDWARDS, MNT4, MNT6"
+  "Default curve: one of ALT_BN128, BN128, EDWARDS, MNT4, MNT6, BLS12_381"
 )
 
 option(

diff --git a/depends/libff b/depends/libff
diff --git a/libsnark/CMakeLists.txt b/libsnark/CMakeLists.txt
@@ -205,6 +205,7 @@ if ("${IS_LIBSNARK_PARENT}")
   libsnark_test(test_r1cs_ppzksnark_verifier_gadget gadgetlib1/tests/test_r1cs_ppzksnark_verifier_gadget.cpp)
   libsnark_test(test_r1cs_gg_ppzksnark_verifier_gadget gadgetlib1/tests/test_r1cs_gg_ppzksnark_verifier_gadget.cpp)
   libsnark_test(test_kzg10_verifier_gadget gadgetlib1/tests/test_kzg10_verifier_gadget.cpp)
+  libsnark_test(test_anemoi_gadget gadgetlib1/gadgets/hashes/anemoi/tests/anemoi_outputs.cpp gadgetlib1/gadgets/hashes/anemoi/tests/test_anemoi_gadget.cpp)
 
   # TODO (howardwu): Resolve runtime on targets:
   # libsnark_test(zk_proof_systems_uscs_ppzksnark_test zk_proof_systems/ppzksnark/uscs_ppzksnark/tests/test_uscs_ppzksnark.cpp)

diff --git a/libsnark/gadgetlib1/gadgets/hashes/anemoi/anemoi_components.hpp b/libsnark/gadgetlib1/gadgets/hashes/anemoi/anemoi_components.hpp
@@ -0,0 +1,307 @@
+/** @file
+ *****************************************************************************
+ * @author     This file is part of libsnark, developed by Clearmatics Ltd
+ *             (originally developed by SCIPR Lab) and contributors
+ *             (see AUTHORS).
+ * @copyright  MIT license (see LICENSE file)
+ *****************************************************************************/
+
+#ifndef LIBSNARK_GADGETLIB1_GADGETS_HASHES_ANEMOI_COMPONENTS_HPP_
+#define LIBSNARK_GADGETLIB1_GADGETS_HASHES_ANEMOI_COMPONENTS_HPP_
+
+#include "libsnark/gadgetlib1/gadgets/hashes/anemoi/anemoi_parameters.hpp"
+
+#include <libsnark/gadgetlib1/gadgets/basic_gadgets.hpp>
+
+/// Implementation of the Anenoi arithmetization-oriented hash function
+///
+/// Reference:
+/// - \[BBCPSVW22]:
+///   Title: "New Design Techniques for Efficient
+///   Arithmetization-Oriented Hash Functions: Anemoi Permutations and
+///   Jive Compression Mode", Clemence Bouvier, Pierre Briaud, Pyrros
+///   Chaidos, Leo Perrin, Robin Salen, Vesselin Velichkov, Danny
+///   Willems, Cryptology ePrint Archive, Report 2022/840, 2019,
+///   <https://eprint.iacr.org/2022/840>
+
+namespace libsnark
+{
+
+/// Combined gadget for the Flystel Q-functions for prime fields Q(x) = A x^2 +
+/// B:
+/// Q_gamma(x) = beta x^2 + gamma: A = beta, B = gamma
+/// Q_delta(x) = beta x^2 + delta: A = beta, B = delta
+template<typename ppT>
+class flystel_Q_prime_field_gadget : public gadget<libff::Fr<ppT>>
+{
+    using FieldT = libff::Fr<ppT>;
+
+private:
+    const FieldT A;
+    const FieldT B;
+
+public:
+    const linear_combination<FieldT> input;
+    const pb_variable<FieldT> output;
+
+    flystel_Q_prime_field_gadget(
+        protoboard<FieldT> &pb,
+        const FieldT A,
+        const FieldT B,
+        const linear_combination<FieldT> &input,
+        const pb_variable<FieldT> &output,
+        const std::string &annotation_prefix);
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+};
+
+/// Combined gadget for the Flystel Q-functions for binary fields Q(x) = A x^3 +
+/// B:
+/// Q_gamma(x) = beta x^3 + gamma: A = beta, B = gamma
+/// Q_delta(x) = beta x^3 + delta: A = beta, B = delta
+template<typename ppT>
+class flystel_Q_binary_field_gadget : public gadget<libff::Fr<ppT>>
+{
+    using FieldT = libff::Fr<ppT>;
+
+private:
+    const pb_variable<FieldT> internal;
+    const FieldT A;
+    const FieldT B;
+
+public:
+    const linear_combination<FieldT> input;
+    const pb_variable<FieldT> output;
+
+    flystel_Q_binary_field_gadget(
+        protoboard<FieldT> &pb,
+        const FieldT A,
+        const FieldT B,
+        const linear_combination<FieldT> &input,
+        const pb_variable<FieldT> &output,
+        const std::string &annotation_prefix);
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+};
+
+/// Compute y = x^5
+template<typename ppT>
+class flystel_E_power_five_gadget : public gadget<libff::Fr<ppT>>
+{
+    using FieldT = libff::Fr<ppT>;
+
+private:
+    // internal (i.e. intermediate) variables
+    const pb_variable<FieldT> a0;
+    const pb_variable<FieldT> a1;
+
+public:
+    const linear_combination<FieldT> input;
+    const pb_variable<FieldT> output;
+
+    flystel_E_power_five_gadget(
+        protoboard<FieldT> &pb,
+        const linear_combination<FieldT> &input,
+        const pb_variable<FieldT> &output,
+        const std::string &annotation_prefix);
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+};
+
+/// Compute y = x^1/5, x=input, y=output/result
+template<typename ppT, class parameters = anemoi_parameters<libff::Fr<ppT>>>
+class flystel_E_root_five_gadget : public gadget<libff::Fr<ppT>>
+{
+    using FieldT = libff::Fr<ppT>;
+
+private:
+    // internal (i.e. intermediate) variables
+    const pb_variable<FieldT> a0;
+    const pb_variable<FieldT> a1;
+
+public:
+    const linear_combination<FieldT> input;
+    const pb_variable<FieldT> output;
+
+    flystel_E_root_five_gadget(
+        protoboard<FieldT> &pb,
+        const linear_combination<FieldT> &input,
+        const pb_variable<FieldT> &output,
+        const std::string &annotation_prefix);
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+};
+
+/// Anemoi closed Flystel component for fields of prime characteristic
+///
+/// x0,x1: input (x,y in [BBCPSVW22])
+/// y0,y1: output (u,v in [BBCPSVW22])
+///
+/// The component performs the following computation:
+///
+/// a0 = (beta x1^2 + gamma) == Q_gamma(x1)
+/// a1 = (x0 - a0)^{1/alpha} == E_root_five(x0-a0)
+/// a2 = beta (x1-a1)^2 + delta == Q_delta(x1-a1)
+/// y0 = x0 - a0 + a2
+/// y1 = x1 - a1
+///
+/// \note: in [BBCPSVW22] (x0,x1)->(y0,y1) is denoted with (x,y)->(u,v)
+template<typename ppT, class parameters = anemoi_parameters<libff::Fr<ppT>>>
+class flystel_prime_field_gadget : public gadget<libff::Fr<ppT>>
+{
+    using FieldT = libff::Fr<ppT>;
+
+private:
+    // internal (i.e. intermediate) variables
+    const pb_variable<FieldT> a0;
+    const pb_variable<FieldT> a1;
+    const pb_variable<FieldT> a2;
+
+public:
+    const linear_combination<FieldT> input_x0;
+    const linear_combination<FieldT> input_x1;
+    const pb_variable<FieldT> output_y0;
+    const pb_variable<FieldT> output_y1;
+
+    flystel_Q_prime_field_gadget<ppT> Q_gamma;
+    flystel_Q_prime_field_gadget<ppT> Q_delta;
+    flystel_E_root_five_gadget<ppT, parameters> E_root_five;
+
+    flystel_prime_field_gadget(
+        protoboard<FieldT> &pb,
+        const linear_combination<FieldT> &x0,
+        const linear_combination<FieldT> &x1,
+        const pb_variable<FieldT> &y0,
+        const pb_variable<FieldT> &y1,
+        const std::string &annotation_prefix);
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+};
+
+/// One round of the Anemoi permutation mapping (Fr)^{2L} -> (Fr)^{2L}
+///
+/// NumStateColumns : L parameter - number of columns in the
+///                     state. can be 1,2,3,4. Each column is composed
+///                     of 2 elements in Fr. One Flystel Sbox accepts
+///                     1 column as input. There are L Flystel-s in 1
+///                     round of the Anemoi permutation applied in
+///                     parallel.
+template<
+    typename ppT,
+    size_t NumStateColumns,
+    class parameters = anemoi_parameters<libff::Fr<ppT>>>
+class anemoi_round_prime_field_gadget : public gadget<libff::Fr<ppT>>
+{
+    using FieldT = libff::Fr<ppT>;
+
+private:
+    // The index of the round within the full Anemoi permutation
+    // (composed of multiple rounds iterated in a sequence). It is
+    // used to derive the round constants C,D.
+    size_t round_index;
+    // matrix M
+    std::vector<std::vector<FieldT>> M_matrix;
+    // vector of Flystel S-boxes
+    std::vector<flystel_prime_field_gadget<ppT, parameters>> Flystel;
+
+public:
+    const pb_linear_combination_array<FieldT> X_left_input;
+    const pb_linear_combination_array<FieldT> X_right_input;
+    const pb_variable_array<FieldT> Y_left_output;
+    const pb_variable_array<FieldT> Y_right_output;
+
+    anemoi_round_prime_field_gadget(
+        protoboard<FieldT> &pb,
+        const size_t &round_index,
+        const pb_linear_combination_array<FieldT> &X_left_input,
+        const pb_linear_combination_array<FieldT> &X_right_input,
+        const pb_variable_array<FieldT> &Y_left_output,
+        const pb_variable_array<FieldT> &Y_right_output,
+        const std::string &annotation_prefix);
+
+    void anemoi_get_round_constants(
+        const size_t &iround, std::vector<FieldT> &C, std::vector<FieldT> &D);
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+};
+
+// MDS matrix for each allowed dimension: 2,3 or 4
+template<typename ppT, size_t NumStateColumns> class anemoi_permutation_mds;
+
+template<typename ppT> class anemoi_permutation_mds<ppT, 2>
+{
+    using anemoi_mds_matrix_t = std::array<std::array<libff::Fr<ppT>, 2>, 2>;
+
+public:
+    static anemoi_mds_matrix_t permutation_mds(const libff::Fr<ppT> g);
+};
+
+template<typename ppT> class anemoi_permutation_mds<ppT, 3>
+{
+    using anemoi_mds_matrix_t = std::array<std::array<libff::Fr<ppT>, 3>, 3>;
+
+public:
+    static anemoi_mds_matrix_t permutation_mds(const libff::Fr<ppT> g);
+};
+
+template<typename ppT> class anemoi_permutation_mds<ppT, 4>
+{
+    using anemoi_mds_matrix_t = std::array<std::array<libff::Fr<ppT>, 4>, 4>;
+
+public:
+    static anemoi_mds_matrix_t permutation_mds(const libff::Fr<ppT> g);
+};
+
+/// Full Anemoi permutation mapping (Fr)^{2L} -> (Fr)^{2L}
+/// see anemoi_round_prime_field_gadget
+template<
+    typename ppT,
+    size_t NumStateColumns,
+    bool b_sec128,
+    class parameters = anemoi_parameters<libff::Fr<ppT>>>
+class anemoi_permutation_prime_field_gadget : public gadget<libff::Fr<ppT>>
+{
+    using FieldT = libff::Fr<ppT>;
+
+private:
+    // C round constants for all rounds
+    std::vector<std::vector<FieldT>> C_const_vec;
+    // D round constants for all rounds
+    std::vector<std::vector<FieldT>> D_const_vec;
+    // vector of round gadgets
+    std::vector<
+        anemoi_round_prime_field_gadget<ppT, NumStateColumns, parameters>>
+        Rounds;
+
+public:
+    const pb_linear_combination_array<FieldT> X_left_input;
+    const pb_linear_combination_array<FieldT> X_right_input;
+    const pb_variable_array<FieldT> Y_left_output;
+    const pb_variable_array<FieldT> Y_right_output;
+
+    anemoi_permutation_prime_field_gadget(
+        protoboard<FieldT> &pb,
+        // TODO: remove constants
+        const std::vector<std::vector<FieldT>> &C_const,
+        const std::vector<std::vector<FieldT>> &D_const,
+        const pb_linear_combination_array<FieldT> &X_left_input,
+        const pb_linear_combination_array<FieldT> &X_right_input,
+        const pb_variable_array<FieldT> &Y_left_output,
+        const pb_variable_array<FieldT> &Y_right_output,
+        const std::string &annotation_prefix);
+
+    void generate_r1cs_constraints();
+    void generate_r1cs_witness();
+};
+
+} // namespace libsnark
+
+#include "libsnark/gadgetlib1/gadgets/hashes/anemoi/anemoi_components.tcc"
+
+#endif // LIBSNARK_GADGETLIB1_GADGETS_HASHES_ANEMOI_COMPONENTS_HPP_
-Original file line number
+Diff line change
@@ Expand Up @@
     build
     *~
+    TAGS
+    .dir-locals.el
+    scripts/anemoi-hash/__pycache__
+1 −0		.gitignore
+1 −1		CMakeLists.txt
+2 −0		libff/algebra/curves/alt_bn128/alt_bn128_pp.cpp
+2 −0		libff/algebra/curves/alt_bn128/alt_bn128_pp.hpp
+2 −0		libff/algebra/curves/bls12_377/bls12_377_pp.cpp
+2 −0		libff/algebra/curves/bls12_377/bls12_377_pp.hpp
+10 −0		libff/algebra/curves/bls12_381/README.md
+68 −0		libff/algebra/curves/bls12_381/bls12_381.sage
+464 −0		libff/algebra/curves/bls12_381/bls12_381_g1.cpp
+113 −0		libff/algebra/curves/bls12_381/bls12_381_g1.hpp
+486 −0		libff/algebra/curves/bls12_381/bls12_381_g2.cpp
+120 −0		libff/algebra/curves/bls12_381/bls12_381_g2.hpp
+628 −0		libff/algebra/curves/bls12_381/bls12_381_init.cpp
+63 −0		libff/algebra/curves/bls12_381/bls12_381_init.hpp
+532 −0		libff/algebra/curves/bls12_381/bls12_381_pairing.cpp
+117 −0		libff/algebra/curves/bls12_381/bls12_381_pairing.hpp
+52 −0		libff/algebra/curves/bls12_381/bls12_381_pp.cpp
+54 −0		libff/algebra/curves/bls12_381/bls12_381_pp.hpp
+2 −0		libff/algebra/curves/bn128/bn128_pp.cpp
+2 −0		libff/algebra/curves/bn128/bn128_pp.hpp
+2 −0		libff/algebra/curves/bw6_761/bw6_761_pp.cpp
+2 −0		libff/algebra/curves/bw6_761/bw6_761_pp.hpp
+17 −1		libff/algebra/curves/curve_serialization.tcc
+2 −0		libff/algebra/curves/curve_utils.tcc
+2 −0		libff/algebra/curves/edwards/edwards_pp.cpp
+2 −0		libff/algebra/curves/edwards/edwards_pp.hpp
+2 −0		libff/algebra/curves/mnt/mnt4/mnt4_pp.cpp
+2 −0		libff/algebra/curves/mnt/mnt4/mnt4_pp.hpp
+2 −0		libff/algebra/curves/mnt/mnt6/mnt6_pp.cpp
+2 −0		libff/algebra/curves/mnt/mnt6/mnt6_pp.hpp
+3 −1		libff/algebra/curves/public_params.hpp
+8 −1		libff/algebra/curves/tests/test_bilinearity.cpp
+47 −1		libff/algebra/curves/tests/test_groups.cpp
+3 −0		libff/algebra/fields/field_utils.hpp
+111 −14		libff/algebra/fields/field_utils.tcc
+34 −0		libff/algebra/fields/fp12_2over3over2.hpp
+35 −0		libff/algebra/fields/fp12_2over3over2.tcc
+31 −0		libff/algebra/fields/fp6_3over2.hpp
+19 −6		libff/algebra/fields/tests/test_fields.cpp
+36 −28		libff/algebra/scalar_multiplication/tests/test_multiexp.cpp