diff --git a/api/benches/merkle_tree.rs b/api/benches/merkle_tree.rs index 92574b01..a8a093a2 100644 --- a/api/benches/merkle_tree.rs +++ b/api/benches/merkle_tree.rs @@ -8,7 +8,7 @@ use noah_accumulators::merkle_tree::{PersistentMerkleTree, Proof, TreePath}; use noah_algebra::bn254::{BN254PairingEngine, BN254Scalar}; use noah_algebra::prelude::*; use noah_crypto::anemoi_jive::{ - AnemoiJive, AnemoiJive254, AnemoiVLHTrace, JiveTrace, ANEMOI_JIVE_BN254_SALTS, + AnemoiJive, AnemoiJive254, AnemoiVLHTrace, JiveTrace, ANEMOI_JIVE_BN254_SALTS, N_ANEMOI_ROUNDS, }; use noah_plonk::plonk::constraint_system::{TurboCS, VarIndex}; use noah_plonk::plonk::indexer::indexer; @@ -129,8 +129,8 @@ pub fn compute_merkle_root_variables_2_20( cs: &mut TurboPlonkCS, elem: AccElemVars, path_vars: &MerklePathVars, - leaf_trace: &AnemoiVLHTrace, - traces: &Vec>, + leaf_trace: &AnemoiVLHTrace, + traces: &Vec>, ) -> VarIndex { let (uid, commitment) = (elem.uid, elem.commitment); diff --git a/api/src/anon_xfr/abar_to_abar.rs b/api/src/anon_xfr/abar_to_abar.rs index 50a6b6c9..42d40b71 100644 --- a/api/src/anon_xfr/abar_to_abar.rs +++ b/api/src/anon_xfr/abar_to_abar.rs @@ -29,7 +29,7 @@ use merlin::Transcript; use noah_algebra::bn254::BN254Scalar; use noah_algebra::prelude::*; use noah_crypto::anemoi_jive::{ - AnemoiJive, AnemoiJive254, AnemoiVLHTrace, ANEMOI_JIVE_BN254_SALTS, + AnemoiJive, AnemoiJive254, AnemoiVLHTrace, ANEMOI_JIVE_BN254_SALTS, N_ANEMOI_ROUNDS, }; use noah_plonk::plonk::{ constraint_system::{TurboCS, VarIndex}, @@ -67,11 +67,11 @@ pub struct AXfrPreNote { /// Witness. pub witness: AXfrWitness, /// The traces of the input commitments. - pub input_commitments_traces: Vec>, + pub input_commitments_traces: Vec>, /// The traces of the output commitments. - pub output_commitments_traces: Vec>, + pub output_commitments_traces: Vec>, /// The traces of the nullifiers. - pub nullifiers_traces: Vec>, + pub nullifiers_traces: Vec>, /// Input key pair. pub input_keypair: KeyPair, } @@ -177,7 +177,7 @@ pub fn init_anon_xfr_note( .map(|output| output.owner_memo.clone().ok_or(NoahError::ParameterError)) .collect(); - let output_commitments_traces: Vec> = outputs + let output_commitments_traces: Vec> = outputs .iter() .map(|output| { let (_, commitment_trace) = commit( @@ -430,9 +430,9 @@ pub(crate) fn prove_xfr( rng: &mut R, params: &ProverParams, secret_inputs: &AXfrWitness, - nullifiers_traces: &[AnemoiVLHTrace], - input_commitments_traces: &[AnemoiVLHTrace], - output_commitments_traces: &[AnemoiVLHTrace], + nullifiers_traces: &[AnemoiVLHTrace], + input_commitments_traces: &[AnemoiVLHTrace], + output_commitments_traces: &[AnemoiVLHTrace], folding_witness: &AXfrAddressFoldingWitness, ) -> Result { let mut transcript = Transcript::new(ANON_XFR_PLONK_PROOF_TRANSCRIPT); @@ -627,9 +627,9 @@ impl AXfrPubInputs { pub(crate) fn build_multi_xfr_cs( witness: &AXfrWitness, fee_type: BN254Scalar, - nullifiers_traces: &[AnemoiVLHTrace], - input_commitments_traces: &[AnemoiVLHTrace], - output_commitments_traces: &[AnemoiVLHTrace], + nullifiers_traces: &[AnemoiVLHTrace], + input_commitments_traces: &[AnemoiVLHTrace], + output_commitments_traces: &[AnemoiVLHTrace], folding_witness: &AXfrAddressFoldingWitness, ) -> (TurboPlonkCS, usize) { assert_ne!(witness.payers_witnesses.len(), 0); @@ -1112,7 +1112,7 @@ mod tests { use merlin::Transcript; use noah_algebra::{bn254::BN254Scalar, prelude::*}; use noah_crypto::anemoi_jive::{ - AnemoiJive, AnemoiJive254, AnemoiVLHTrace, ANEMOI_JIVE_BN254_SALTS, + AnemoiJive, AnemoiJive254, AnemoiVLHTrace, ANEMOI_JIVE_BN254_SALTS, N_ANEMOI_ROUNDS, }; use noah_plonk::plonk::constraint_system::{TurboCS, VarIndex}; use sha2::Sha512; @@ -2182,8 +2182,9 @@ mod tests { ) .unwrap(); - let mut nullifiers_traces = Vec::>::new(); - let mut input_commitments_traces = Vec::>::new(); + let mut nullifiers_traces = Vec::>::new(); + let mut input_commitments_traces = + Vec::>::new(); for payer_witness in secret_inputs.payers_witnesses.iter() { let (_, nullifier_trace) = nullify( &payer_witness.secret_key.clone().into_keypair(), @@ -2204,7 +2205,8 @@ mod tests { input_commitments_traces.push(input_commitment_trace); } - let mut output_commitments_traces = Vec::>::new(); + let mut output_commitments_traces = + Vec::>::new(); for payee_witness in secret_inputs.payees_witnesses.iter() { let (_, output_commitment_trace) = commit( &payee_witness.public_key, diff --git a/api/src/anon_xfr/abar_to_ar.rs b/api/src/anon_xfr/abar_to_ar.rs index 62e56b6d..53106540 100644 --- a/api/src/anon_xfr/abar_to_ar.rs +++ b/api/src/anon_xfr/abar_to_ar.rs @@ -26,7 +26,7 @@ use digest::{consts::U64, Digest}; use merlin::Transcript; use noah_algebra::{bn254::BN254Scalar, prelude::*, ristretto::PedersenCommitmentRistretto}; use noah_crypto::anemoi_jive::{ - AnemoiJive, AnemoiJive254, AnemoiVLHTrace, ANEMOI_JIVE_BN254_SALTS, + AnemoiJive, AnemoiJive254, AnemoiVLHTrace, ANEMOI_JIVE_BN254_SALTS, N_ANEMOI_ROUNDS, }; use noah_plonk::plonk::{ constraint_system::{TurboCS, VarIndex}, @@ -61,9 +61,9 @@ pub struct AbarToArPreNote { /// Witness. pub witness: PayerWitness, /// The trace of the input commitment. - pub input_commitment_trace: AnemoiVLHTrace, + pub input_commitment_trace: AnemoiVLHTrace, /// The trace of the nullifier. - pub nullifier_trace: AnemoiVLHTrace, + pub nullifier_trace: AnemoiVLHTrace, /// Input key pair. pub input_keypair: KeyPair, } @@ -340,8 +340,8 @@ fn prove_abar_to_ar( rng: &mut R, params: &ProverParams, payers_witness: &PayerWitness, - nullifier_trace: &AnemoiVLHTrace, - input_commitment_trace: &AnemoiVLHTrace, + nullifier_trace: &AnemoiVLHTrace, + input_commitment_trace: &AnemoiVLHTrace, folding_witness: &AXfrAddressFoldingWitness, ) -> Result { let mut transcript = Transcript::new(ABAR_TO_AR_PLONK_PROOF_TRANSCRIPT); @@ -368,8 +368,8 @@ fn prove_abar_to_ar( /// Construct the anonymous-to-transparent constraint system. pub fn build_abar_to_ar_cs( payer_witness: &PayerWitness, - nullifier_trace: &AnemoiVLHTrace, - input_commitment_trace: &AnemoiVLHTrace, + nullifier_trace: &AnemoiVLHTrace, + input_commitment_trace: &AnemoiVLHTrace, folding_witness: &AXfrAddressFoldingWitness, ) -> (TurboPlonkCS, usize) { let mut cs = TurboCS::new(); diff --git a/api/src/anon_xfr/abar_to_bar.rs b/api/src/anon_xfr/abar_to_bar.rs index 6f76d9e7..d1ebc1fb 100644 --- a/api/src/anon_xfr/abar_to_bar.rs +++ b/api/src/anon_xfr/abar_to_bar.rs @@ -30,7 +30,7 @@ use noah_algebra::{ traits::PedersenCommitment, }; use noah_crypto::anemoi_jive::{ - AnemoiJive, AnemoiJive254, AnemoiVLHTrace, ANEMOI_JIVE_BN254_SALTS, + AnemoiJive, AnemoiJive254, AnemoiVLHTrace, ANEMOI_JIVE_BN254_SALTS, N_ANEMOI_ROUNDS, }; use noah_crypto::{ delegated_schnorr::{prove_delegated_schnorr, verify_delegated_schnorr, DSInspection, DSProof}, @@ -69,9 +69,9 @@ pub struct AbarToBarPreNote { /// Witness. pub witness: PayerWitness, /// The trace of the input commitment. - pub input_commitment_trace: AnemoiVLHTrace, + pub input_commitment_trace: AnemoiVLHTrace, /// The trace of the nullifier. - pub nullifier_trace: AnemoiVLHTrace, + pub nullifier_trace: AnemoiVLHTrace, /// Input key pair. pub input_keypair: KeyPair, /// Inspection data in the delegated Schnorr proof on Ristretto. @@ -536,8 +536,8 @@ fn prove_abar_to_bar( rng: &mut R, params: &ProverParams, payers_witness: &PayerWitness, - nullifier_trace: &AnemoiVLHTrace, - input_commitment_trace: &AnemoiVLHTrace, + nullifier_trace: &AnemoiVLHTrace, + input_commitment_trace: &AnemoiVLHTrace, proof: &DSProof, inspection: &DSInspection, beta: &RistrettoScalar, @@ -572,8 +572,8 @@ fn prove_abar_to_bar( /// Construct the anonymous-to-confidential constraint system. pub fn build_abar_to_bar_cs( payer_witness: &PayerWitness, - nullifier_trace: &AnemoiVLHTrace, - input_commitment_trace: &AnemoiVLHTrace, + nullifier_trace: &AnemoiVLHTrace, + input_commitment_trace: &AnemoiVLHTrace, proof: &DSProof, inspection: &DSInspection, beta: &RistrettoScalar, diff --git a/api/src/anon_xfr/ar_to_abar.rs b/api/src/anon_xfr/ar_to_abar.rs index eff4a19f..682f5ba0 100644 --- a/api/src/anon_xfr/ar_to_abar.rs +++ b/api/src/anon_xfr/ar_to_abar.rs @@ -12,7 +12,7 @@ use crate::parameters::params::VerifierParams; use crate::xfr::structs::{BlindAssetRecord, OpenAssetRecord}; use merlin::Transcript; use noah_algebra::{bn254::BN254Scalar, prelude::*}; -use noah_crypto::anemoi_jive::{AnemoiJive254, AnemoiVLHTrace}; +use noah_crypto::anemoi_jive::{AnemoiJive254, AnemoiVLHTrace, N_ANEMOI_ROUNDS}; use noah_plonk::plonk::{ constraint_system::TurboCS, prover::prover_with_lagrange, verifier::verifier, }; @@ -189,7 +189,7 @@ pub fn verify_ar_to_abar_body(params: &VerifierParams, body: &ArToAbarBody) -> R /// Construct the transparent-to-anonymous constraint system. pub fn build_ar_to_abar_cs( payee_data: PayeeWitness, - output_trace: &AnemoiVLHTrace, + output_trace: &AnemoiVLHTrace, ) -> (TurboPlonkCS, usize) { let mut cs = TurboCS::new(); cs.load_anemoi_jive_parameters::(); diff --git a/api/src/anon_xfr/bar_to_abar.rs b/api/src/anon_xfr/bar_to_abar.rs index b6065ffc..0d2e70b4 100644 --- a/api/src/anon_xfr/bar_to_abar.rs +++ b/api/src/anon_xfr/bar_to_abar.rs @@ -18,7 +18,7 @@ use noah_algebra::{ ristretto::{PedersenCommitmentRistretto, RistrettoPoint, RistrettoScalar}, traits::PedersenCommitment, }; -use noah_crypto::anemoi_jive::{AnemoiJive, AnemoiJive254, AnemoiVLHTrace}; +use noah_crypto::anemoi_jive::{AnemoiJive, AnemoiJive254, AnemoiVLHTrace, N_ANEMOI_ROUNDS}; use noah_crypto::{ delegated_schnorr::{prove_delegated_schnorr, verify_delegated_schnorr, DSInspection, DSProof}, field_simulation::{SimFr, SimFrParams, SimFrParamsBN254Ristretto}, @@ -303,7 +303,7 @@ pub(crate) fn prove_bar_to_abar_cs( inspection: &DSInspection, beta: &RistrettoScalar, lambda: &RistrettoScalar, - comm_trace: &AnemoiVLHTrace, + comm_trace: &AnemoiVLHTrace, ) -> Result { let mut transcript = Transcript::new(BAR_TO_ABAR_PLONK_PROOF_TRANSCRIPT); let (mut cs, _) = build_bar_to_abar_cs( @@ -387,7 +387,7 @@ pub(crate) fn build_bar_to_abar_cs( non_zk_state: &DSInspection, beta: &RistrettoScalar, lambda: &RistrettoScalar, - comm_trace: &AnemoiVLHTrace, + comm_trace: &AnemoiVLHTrace, ) -> (TurboPlonkCS, usize) { let mut cs = TurboCS::new(); cs.load_anemoi_jive_parameters::(); diff --git a/api/src/anon_xfr/mod.rs b/api/src/anon_xfr/mod.rs index 1539a8b5..bc566256 100644 --- a/api/src/anon_xfr/mod.rs +++ b/api/src/anon_xfr/mod.rs @@ -16,7 +16,7 @@ use noah_algebra::{ prelude::*, }; use noah_crypto::anemoi_jive::{ - AnemoiJive, AnemoiJive254, AnemoiVLHTrace, JiveTrace, ANEMOI_JIVE_BN254_SALTS, + AnemoiJive, AnemoiJive254, AnemoiVLHTrace, JiveTrace, ANEMOI_JIVE_BN254_SALTS, N_ANEMOI_ROUNDS, }; use noah_plonk::{ plonk::{ @@ -236,7 +236,7 @@ pub fn nullify( amount: u64, asset_type_scalar: BN254Scalar, uid: u64, -) -> Result<(BN254Scalar, AnemoiVLHTrace)> { +) -> Result<(BN254Scalar, AnemoiVLHTrace)> { let pub_key = key_pair.get_pk(); let pow_2_64 = BN254Scalar::from(u64::MAX).add(&BN254Scalar::from(1u32)); @@ -282,7 +282,7 @@ pub fn commit_in_cs( asset_var: VarIndex, public_key_type_var: VarIndex, public_key_scalars: &[VarIndex; 3], - trace: &AnemoiVLHTrace, + trace: &AnemoiVLHTrace, ) -> VarIndex { let output_var = cs.new_variable(trace.output); let zero_var = cs.zero_var(); @@ -310,7 +310,7 @@ pub fn commit( blind: BN254Scalar, amount: u64, asset_type_scalar: BN254Scalar, -) -> Result<(Commitment, AnemoiVLHTrace)> { +) -> Result<(Commitment, AnemoiVLHTrace)> { let address_format_number: BN254Scalar = match public_key.0 { PublicKeyInner::Ed25519(_) => BN254Scalar::one(), PublicKeyInner::Secp256k1(_) => BN254Scalar::zero(), @@ -344,7 +344,7 @@ pub(crate) fn nullify_in_cs( asset_type: VarIndex, secret_key_type: VarIndex, public_key_scalars: &[VarIndex; 3], - trace: &AnemoiVLHTrace, + trace: &AnemoiVLHTrace, ) -> VarIndex { let output_var = cs.new_variable(trace.output); let zero_var = cs.zero_var(); @@ -467,8 +467,8 @@ pub fn compute_merkle_root_variables( cs: &mut TurboPlonkCS, elem: AccElemVars, path_vars: &MerklePathVars, - leaf_trace: &AnemoiVLHTrace, - traces: &[JiveTrace], + leaf_trace: &AnemoiVLHTrace, + traces: &[JiveTrace], ) -> VarIndex { let (uid, commitment) = (elem.uid, elem.commitment); diff --git a/crypto/src/anemoi_jive/bls12_381.rs b/crypto/src/anemoi_jive/bls12_381.rs index 9769173e..ba7b2e67 100644 --- a/crypto/src/anemoi_jive/bls12_381.rs +++ b/crypto/src/anemoi_jive/bls12_381.rs @@ -3,17 +3,19 @@ use noah_algebra::bls12_381::BLSScalar; use noah_algebra::new_bls12_381_fr; use noah_algebra::prelude::*; +use super::N_ANEMOI_ROUNDS; + /// The structure that stores the parameters for the Anemoi-Jive hash function for BLS12-381. pub struct AnemoiJive381; -impl AnemoiJive for AnemoiJive381 { +impl AnemoiJive for AnemoiJive381 { const ALPHA: u32 = 5u32; const GENERATOR: BLSScalar = new_bls12_381_fr!("7"); const GENERATOR_INV: BLSScalar = new_bls12_381_fr!( "14981678621464625851270783002338847382197300714436467949315331057125308909861" ); const GENERATOR_SQUARE_PLUS_ONE: BLSScalar = new_bls12_381_fr!("50"); - const ROUND_KEYS_X: [[BLSScalar; 2usize]; 14usize] = [ + const ROUND_KEYS_X: [[BLSScalar; 2usize]; N_ANEMOI_ROUNDS] = [ [ new_bls12_381_fr!("39"), new_bls12_381_fr!( @@ -125,7 +127,7 @@ impl AnemoiJive for AnemoiJive381 { ), ], ]; - const ROUND_KEYS_Y: [[BLSScalar; 2usize]; 14usize] = [ + const ROUND_KEYS_Y: [[BLSScalar; 2usize]; N_ANEMOI_ROUNDS] = [ [ new_bls12_381_fr!( "14981678621464625851270783002338847382197300714436467949315331057125308909900" @@ -239,7 +241,7 @@ impl AnemoiJive for AnemoiJive381 { ), ], ]; - const PREPROCESSED_ROUND_KEYS_X: [[BLSScalar; 2usize]; 14usize] = [ + const PREPROCESSED_ROUND_KEYS_X: [[BLSScalar; 2usize]; N_ANEMOI_ROUNDS] = [ [ new_bls12_381_fr!( "35132796657602600463082375807523947538812231901617345651700352053179413136781" @@ -353,7 +355,7 @@ impl AnemoiJive for AnemoiJive381 { ), ], ]; - const PREPROCESSED_ROUND_KEYS_Y: [[BLSScalar; 2usize]; 14usize] = [ + const PREPROCESSED_ROUND_KEYS_Y: [[BLSScalar; 2usize]; N_ANEMOI_ROUNDS] = [ [ new_bls12_381_fr!( "15708940413097757154186986844111910752060195475863555301496544479594607502297" diff --git a/crypto/src/anemoi_jive/bn254.rs b/crypto/src/anemoi_jive/bn254.rs index 939e7842..b38a993c 100644 --- a/crypto/src/anemoi_jive/bn254.rs +++ b/crypto/src/anemoi_jive/bn254.rs @@ -1,3 +1,4 @@ +use super::N_ANEMOI_ROUNDS; use crate::anemoi_jive::AnemoiJive; use noah_algebra::bn254::BN254Scalar; use noah_algebra::new_bn254_fr; @@ -5,14 +6,14 @@ use noah_algebra::new_bn254_fr; /// The structure that stores the parameters for the Anemoi-Jive hash function for BN254. pub struct AnemoiJive254; -impl AnemoiJive for AnemoiJive254 { +impl AnemoiJive for AnemoiJive254 { const ALPHA: u32 = 5u32; const GENERATOR: BN254Scalar = new_bn254_fr!("5"); const GENERATOR_INV: BN254Scalar = new_bn254_fr!( "8755297148735710088898562298102910035419345760166413737479281674630323398247" ); const GENERATOR_SQUARE_PLUS_ONE: BN254Scalar = new_bn254_fr!("26"); - const ROUND_KEYS_X: [[BN254Scalar; 2]; 14] = [ + const ROUND_KEYS_X: [[BN254Scalar; 2]; N_ANEMOI_ROUNDS] = [ [ new_bn254_fr!("37"), new_bn254_fr!( @@ -124,7 +125,7 @@ impl AnemoiJive for AnemoiJive254 { ), ], ]; - const ROUND_KEYS_Y: [[BN254Scalar; 2]; 14] = [ + const ROUND_KEYS_Y: [[BN254Scalar; 2]; N_ANEMOI_ROUNDS] = [ [ new_bn254_fr!( "8755297148735710088898562298102910035419345760166413737479281674630323398284" @@ -238,7 +239,7 @@ impl AnemoiJive for AnemoiJive254 { ), ], ]; - const PREPROCESSED_ROUND_KEYS_X: [[BN254Scalar; 2]; 14] = [ + const PREPROCESSED_ROUND_KEYS_X: [[BN254Scalar; 2]; N_ANEMOI_ROUNDS] = [ [ new_bn254_fr!( "9875235397644879082677551174832367614794066768374461301425281161472772669364" @@ -352,7 +353,7 @@ impl AnemoiJive for AnemoiJive254 { ), ], ]; - const PREPROCESSED_ROUND_KEYS_Y: [[BN254Scalar; 2]; 14] = [ + const PREPROCESSED_ROUND_KEYS_Y: [[BN254Scalar; 2]; N_ANEMOI_ROUNDS] = [ [ new_bn254_fr!( "13004335645468876947782817511996516830557692388848756239167689579223703209154" diff --git a/crypto/src/anemoi_jive/mod.rs b/crypto/src/anemoi_jive/mod.rs index 7bfa754c..1d751035 100644 --- a/crypto/src/anemoi_jive/mod.rs +++ b/crypto/src/anemoi_jive/mod.rs @@ -22,6 +22,9 @@ pub use mds::{ApplicableMDSMatrix, MDSMatrix}; pub use salts::*; pub use traces::{AnemoiStreamCipherTrace, AnemoiVLHTrace, JiveTrace}; +/// The round number of Anemoi. +pub const N_ANEMOI_ROUNDS: usize = 14; + /// The trait for the Anemoi-Jive parameters. pub trait AnemoiJive where diff --git a/crypto/src/anemoi_jive/tests/bls12_381.rs b/crypto/src/anemoi_jive/tests/bls12_381.rs index a29809b3..5e9f66f8 100644 --- a/crypto/src/anemoi_jive/tests/bls12_381.rs +++ b/crypto/src/anemoi_jive/tests/bls12_381.rs @@ -1,4 +1,6 @@ -use crate::anemoi_jive::{AnemoiJive, AnemoiJive381, ApplicableMDSMatrix, MDSMatrix}; +use crate::anemoi_jive::{ + AnemoiJive, AnemoiJive381, ApplicableMDSMatrix, MDSMatrix, N_ANEMOI_ROUNDS, +}; use noah_algebra::bls12_381::BLSScalar; use noah_algebra::new_bls12_381_fr; use noah_algebra::prelude::Scalar; @@ -88,7 +90,7 @@ fn test_jive_flatten() { } // remaining rounds - for r in 1..14 { + for r in 1..N_ANEMOI_ROUNDS { let a_i_minus_1 = trace.intermediate_x_before_constant_additions[r - 1][0].clone(); let b_i_minus_1 = trace.intermediate_x_before_constant_additions[r - 1][1].clone(); let c_i_minus_1 = trace.intermediate_y_before_constant_additions[r - 1][0].clone(); @@ -264,7 +266,7 @@ fn test_anemoi_variable_length_hash_flatten() { } // remaining rounds - for r in 1..14 { + for r in 1..N_ANEMOI_ROUNDS { let a_i_minus_1 = trace.intermediate_values_before_constant_additions[rr].0[r - 1][0].clone(); let b_i_minus_1 = @@ -496,7 +498,7 @@ fn test_eval_stream_cipher_flatten() { } // remaining rounds - for r in 1..14 { + for r in 1..N_ANEMOI_ROUNDS { let a_i_minus_1 = trace.intermediate_values_before_constant_additions[rr].0[r - 1][0].clone(); let b_i_minus_1 = @@ -661,7 +663,7 @@ fn test_eval_stream_cipher_flatten() { } // remaining rounds - for r in 1..14 { + for r in 1..N_ANEMOI_ROUNDS { let a_i_minus_1 = trace.intermediate_values_before_constant_additions [absorbing_times + i] .0[r - 1][0] @@ -839,7 +841,7 @@ fn test_eval_stream_cipher_flatten() { } // remaining rounds - for r in 1..14 { + for r in 1..N_ANEMOI_ROUNDS { let a_i_minus_1 = trace.intermediate_values_before_constant_additions [absorbing_times + squeezing_times] .0[r - 1][0] @@ -926,11 +928,11 @@ fn test_eval_stream_cipher_flatten() { x = trace.intermediate_values_before_constant_additions [absorbing_times + squeezing_times] - .0[14 - 1] + .0[N_ANEMOI_ROUNDS - 1] .clone(); y = trace.intermediate_values_before_constant_additions [absorbing_times + squeezing_times] - .1[14 - 1] + .1[N_ANEMOI_ROUNDS - 1] .clone(); mds.permute_in_place(&mut x, &mut y); for i in 0..2 { diff --git a/crypto/src/anemoi_jive/tests/bn254.rs b/crypto/src/anemoi_jive/tests/bn254.rs index f1139a6c..826e676d 100644 --- a/crypto/src/anemoi_jive/tests/bn254.rs +++ b/crypto/src/anemoi_jive/tests/bn254.rs @@ -1,3 +1,4 @@ +use crate::anemoi_jive::N_ANEMOI_ROUNDS; use crate::anemoi_jive::{AnemoiJive, AnemoiJive254, ApplicableMDSMatrix, MDSMatrix}; use noah_algebra::bn254::BN254Scalar; use noah_algebra::new_bn254_fr; @@ -87,7 +88,7 @@ fn test_jive_flatten() { } // remaining rounds - for r in 1..14 { + for r in 1..N_ANEMOI_ROUNDS { let a_i_minus_1 = trace.intermediate_x_before_constant_additions[r - 1][0].clone(); let b_i_minus_1 = trace.intermediate_x_before_constant_additions[r - 1][1].clone(); let c_i_minus_1 = trace.intermediate_y_before_constant_additions[r - 1][0].clone(); @@ -263,7 +264,7 @@ fn test_anemoi_variable_length_hash_flatten() { } // remaining rounds - for r in 1..14 { + for r in 1..N_ANEMOI_ROUNDS { let a_i_minus_1 = trace.intermediate_values_before_constant_additions[rr].0[r - 1][0].clone(); let b_i_minus_1 = @@ -495,7 +496,7 @@ fn test_eval_stream_cipher_flatten() { } // remaining rounds - for r in 1..14 { + for r in 1..N_ANEMOI_ROUNDS { let a_i_minus_1 = trace.intermediate_values_before_constant_additions[rr].0[r - 1][0].clone(); let b_i_minus_1 = @@ -660,7 +661,7 @@ fn test_eval_stream_cipher_flatten() { } // remaining rounds - for r in 1..14 { + for r in 1..N_ANEMOI_ROUNDS { let a_i_minus_1 = trace.intermediate_values_before_constant_additions [absorbing_times + i] .0[r - 1][0] @@ -838,7 +839,7 @@ fn test_eval_stream_cipher_flatten() { } // remaining rounds - for r in 1..14 { + for r in 1..N_ANEMOI_ROUNDS { let a_i_minus_1 = trace.intermediate_values_before_constant_additions [absorbing_times + squeezing_times] .0[r - 1][0] @@ -925,11 +926,11 @@ fn test_eval_stream_cipher_flatten() { x = trace.intermediate_values_before_constant_additions [absorbing_times + squeezing_times] - .0[14 - 1] + .0[N_ANEMOI_ROUNDS - 1] .clone(); y = trace.intermediate_values_before_constant_additions [absorbing_times + squeezing_times] - .1[14 - 1] + .1[N_ANEMOI_ROUNDS - 1] .clone(); mds.permute_in_place(&mut x, &mut y); for i in 0..2 { diff --git a/crypto/src/delegated_schnorr.rs b/crypto/src/delegated_schnorr.rs index a22a5ab7..f5b990df 100644 --- a/crypto/src/delegated_schnorr.rs +++ b/crypto/src/delegated_schnorr.rs @@ -1,4 +1,4 @@ -use crate::anemoi_jive::AnemoiJive; +use crate::anemoi_jive::{AnemoiJive, N_ANEMOI_ROUNDS}; use crate::errors::{CryptoError, Result}; use crate::field_simulation::{SimFr, SimFrParams}; use merlin::Transcript; @@ -99,7 +99,7 @@ impl> DSProof { /// Generate a proof in the delegated Schnorr protocol. pub fn prove_delegated_schnorr< F: Scalar, - H: AnemoiJive, + H: AnemoiJive, R: CryptoRng + RngCore, S: Scalar, G: Group, diff --git a/crypto/src/doubly_snark_friendly/ecies_encryption.rs b/crypto/src/doubly_snark_friendly/ecies_encryption.rs index 4c57eee7..b9c7085f 100644 --- a/crypto/src/doubly_snark_friendly/ecies_encryption.rs +++ b/crypto/src/doubly_snark_friendly/ecies_encryption.rs @@ -1,4 +1,4 @@ -use crate::anemoi_jive::AnemoiJive; +use crate::anemoi_jive::{AnemoiJive, N_ANEMOI_ROUNDS}; use noah_algebra::prelude::*; use rand_core::{CryptoRng, RngCore}; @@ -59,7 +59,7 @@ impl ECIESDecryptionKey { /// Decrypt the ciphertext with the decryption key. pub fn decrypt(&self, ciphertext: &ECIESCiphertext) -> ECIESPlaintext where - H: AnemoiJive, + H: AnemoiJive, { let point = ciphertext .dh_point_div_by_cofactor @@ -98,7 +98,7 @@ impl ECIESEncryptionKey { /// Encrypt the plaintext with the encryption key. pub fn encrypt(&self, prng: &mut R, plaintext: &ECIESPlaintext) -> ECIESCiphertext where - H: AnemoiJive, + H: AnemoiJive, R: CryptoRng + RngCore, { let k = G::ScalarType::random(prng); diff --git a/crypto/src/doubly_snark_friendly/schnorr_signature.rs b/crypto/src/doubly_snark_friendly/schnorr_signature.rs index cd6d4428..bddf335f 100644 --- a/crypto/src/doubly_snark_friendly/schnorr_signature.rs +++ b/crypto/src/doubly_snark_friendly/schnorr_signature.rs @@ -1,4 +1,4 @@ -use crate::anemoi_jive::AnemoiJive; +use crate::anemoi_jive::{AnemoiJive, N_ANEMOI_ROUNDS}; use crate::errors::{CryptoError, Result}; use noah_algebra::prelude::*; @@ -60,7 +60,7 @@ impl SchnorrSigningKey { msg: &[G::BaseType], ) -> SchnorrSignature where - H: AnemoiJive, + H: AnemoiJive, R: CryptoRng + RngCore, { let k = G::ScalarType::random(prng); @@ -107,7 +107,7 @@ impl SchnorrVerifyingKey { msg: &[G::BaseType], ) -> Result<()> where - H: AnemoiJive, + H: AnemoiJive, { let e_converted = G::ScalarType::from(&signature.schnorr_e.into()); diff --git a/plonk/src/plonk/constraint_system/anemoi_jive.rs b/plonk/src/plonk/constraint_system/anemoi_jive.rs index 53ee3a80..127a01d4 100644 --- a/plonk/src/plonk/constraint_system/anemoi_jive.rs +++ b/plonk/src/plonk/constraint_system/anemoi_jive.rs @@ -1,14 +1,16 @@ use crate::plonk::constraint_system::{TurboCS, VarIndex}; use noah_algebra::prelude::*; -use noah_crypto::anemoi_jive::{AnemoiJive, AnemoiStreamCipherTrace, AnemoiVLHTrace, JiveTrace}; +use noah_crypto::anemoi_jive::{ + AnemoiJive, AnemoiStreamCipherTrace, AnemoiVLHTrace, JiveTrace, N_ANEMOI_ROUNDS, +}; impl TurboCS { /// Create constraints for the Anemoi permutation. - fn anemoi_permutation_round>( + fn anemoi_permutation_round>( &mut self, input_var: &([VarIndex; 2], [VarIndex; 2]), output_var: &([Option; 2], [Option; 2]), - intermediate_val: &([[F; 2]; 14], [[F; 2]; 14]), + intermediate_val: &([[F; 2]; N_ANEMOI_ROUNDS], [[F; 2]; N_ANEMOI_ROUNDS]), checksum: Option, salt: Option, ) -> Option { @@ -21,9 +23,12 @@ impl TurboCS { // Allocate the intermediate values // (the last line of the intermediate values is the output of the last round // before the final linear layer) - let mut intermediate_var = ([[zero_var; 2]; 14], [[zero_var; 2]; 14]); + let mut intermediate_var = ( + [[zero_var; 2]; N_ANEMOI_ROUNDS], + [[zero_var; 2]; N_ANEMOI_ROUNDS], + ); - for r in 0..14 { + for r in 0..N_ANEMOI_ROUNDS { intermediate_var.0[r][0] = self.new_variable(intermediate_val.0[r][0]); intermediate_var.0[r][1] = self.new_variable(intermediate_val.0[r][1]); intermediate_var.1[r][0] = self.new_variable(intermediate_val.1[r][0]); @@ -53,7 +58,7 @@ impl TurboCS { self.attach_anemoi_jive_constraints_to_gate(); // Create the remaining 13 gates - for r in 1..14 { + for r in 1..N_ANEMOI_ROUNDS { self.push_add_selectors(zero, zero, zero, zero); self.push_mul_selectors(zero, zero); self.push_constant_selector(zero); @@ -192,9 +197,9 @@ impl TurboCS { } /// Create constraints for the Anemoi variable length hash function. - pub fn anemoi_variable_length_hash>( + pub fn anemoi_variable_length_hash>( &mut self, - trace: &AnemoiVLHTrace, + trace: &AnemoiVLHTrace, input_var: &[VarIndex], output_var: VarIndex, ) { @@ -309,9 +314,9 @@ impl TurboCS { } /// Create constraints for the Jive CRH. - pub fn jive_crh>( + pub fn jive_crh>( &mut self, - trace: &JiveTrace, + trace: &JiveTrace, input_var: &[VarIndex; 3], salt: F, ) -> VarIndex { @@ -362,9 +367,9 @@ impl TurboCS { } /// Create constraints for the Anemoi stream cipher - pub fn anemoi_stream_cipher>( + pub fn anemoi_stream_cipher>( &mut self, - trace: &AnemoiStreamCipherTrace, + trace: &AnemoiStreamCipherTrace, input_var: &[VarIndex], output_var: &[VarIndex], ) { diff --git a/plonk/src/plonk/constraint_system/turbo.rs b/plonk/src/plonk/constraint_system/turbo.rs index 5b04da2f..5622e858 100644 --- a/plonk/src/plonk/constraint_system/turbo.rs +++ b/plonk/src/plonk/constraint_system/turbo.rs @@ -4,6 +4,7 @@ use super::{ConstraintSystem, CsIndex, VarIndex}; use crate::errors::{PlonkError, Result}; use ark_std::{borrow::ToOwned, format}; use noah_algebra::prelude::*; +use noah_crypto::anemoi_jive::N_ANEMOI_ROUNDS; use noah_crypto::anemoi_jive::AnemoiJive; #[cfg(feature = "debug")] @@ -23,9 +24,9 @@ pub struct TurboCS { /// the wiring of the circuit. pub wiring: [Vec; N_WIRES_PER_GATE], /// the first part of the Anemoi preprocessed round keys. - pub anemoi_preprocessed_round_keys_x: [[F; 2]; 14], + pub anemoi_preprocessed_round_keys_x: [[F; 2]; N_ANEMOI_ROUNDS], /// the second part of the Anemoi preprocessed round keys. - pub anemoi_preprocessed_round_keys_y: [[F; 2]; 14], + pub anemoi_preprocessed_round_keys_y: [[F; 2]; N_ANEMOI_ROUNDS], /// the Anemoi generator. pub anemoi_generator: F, /// the Anemoi generator's inverse. @@ -175,8 +176,8 @@ impl ConstraintSystem for TurboCS { Self { selectors: vec![], wiring: [vec![], vec![], vec![], vec![], vec![]], - anemoi_preprocessed_round_keys_x: [[F::zero(); 2]; 14], - anemoi_preprocessed_round_keys_y: [[F::zero(); 2]; 14], + anemoi_preprocessed_round_keys_x: [[F::zero(); 2]; N_ANEMOI_ROUNDS], + anemoi_preprocessed_round_keys_y: [[F::zero(); 2]; N_ANEMOI_ROUNDS], anemoi_generator: F::zero(), anemoi_generator_inv: F::zero(), anemoi_constraints_indices: vec![], @@ -203,7 +204,7 @@ impl ConstraintSystem for TurboCS { empty_poly, ]; for i in self.anemoi_constraints_indices.iter() { - for j in 0..14 { + for j in 0..N_ANEMOI_ROUNDS { polys[0][*i + j] = self.anemoi_preprocessed_round_keys_x[j][0]; polys[1][*i + j] = self.anemoi_preprocessed_round_keys_x[j][1]; polys[2][*i + j] = self.anemoi_preprocessed_round_keys_y[j][0]; @@ -261,8 +262,8 @@ impl TurboCS { Self { selectors, wiring: [vec![], vec![], vec![], vec![], vec![]], - anemoi_preprocessed_round_keys_x: [[F::zero(); 2]; 14], - anemoi_preprocessed_round_keys_y: [[F::zero(); 2]; 14], + anemoi_preprocessed_round_keys_x: [[F::zero(); 2]; N_ANEMOI_ROUNDS], + anemoi_preprocessed_round_keys_y: [[F::zero(); 2]; N_ANEMOI_ROUNDS], anemoi_generator: F::zero(), anemoi_generator_inv: F::zero(), anemoi_constraints_indices: vec![], @@ -448,16 +449,24 @@ impl TurboCS { println!("cs constraint not satisfied."); } - for var in [ - wiring_0_var, - wiring_1_var, - wiring_2_var, - wiring_3_var, - wiring_4_var, - ] - .iter() - { - self.witness_backtrace.remove(var); + if !(selector_0.is_zero() && selector_4.is_zero() && selector_7.is_zero()) { + self.witness_backtrace.remove(&wiring_0_var); + } + + if !(selector_1.is_zero() && selector_4.is_zero() && selector_7.is_zero()) { + self.witness_backtrace.remove(&wiring_1_var); + } + + if !(selector_2.is_zero() && selector_5.is_zero() && selector_7.is_zero()) { + self.witness_backtrace.remove(&wiring_2_var); + } + + if !(selector_3.is_zero() && selector_5.is_zero() && selector_7.is_zero()) { + self.witness_backtrace.remove(&wiring_3_var); + } + + if !(selector_7.is_zero() && selector_8.is_zero()) { + self.witness_backtrace.remove(&wiring_4_var); } } @@ -735,7 +744,7 @@ impl TurboCS { } /// Set the parameters for the Anemoi/Jive hash function. - pub fn load_anemoi_jive_parameters>(&mut self) { + pub fn load_anemoi_jive_parameters>(&mut self) { self.anemoi_preprocessed_round_keys_x = H::PREPROCESSED_ROUND_KEYS_X; self.anemoi_preprocessed_round_keys_y = H::PREPROCESSED_ROUND_KEYS_Y; @@ -758,8 +767,23 @@ impl TurboCS { #[cfg(feature = "debug")] { if !self.witness_backtrace.is_empty() { - for (_, v) in &self.witness_backtrace { - panic!("dangling witness:\n{}", v); + let mut animoi_witness_var = Vec::new(); + for cs_index in self.anemoi_constraints_indices.iter() { + for r in 0..N_ANEMOI_ROUNDS { + animoi_witness_var.push(self.get_witness_index(0, cs_index + r)); + animoi_witness_var.push(self.get_witness_index(1, cs_index + r)); + animoi_witness_var.push(self.get_witness_index(2, cs_index + r)); + animoi_witness_var.push(self.get_witness_index(3, cs_index + r)); + animoi_witness_var.push(self.get_witness_index(4, cs_index + r)); + } + } + + for (var, backtrace) in &self.witness_backtrace { + if animoi_witness_var.contains(var) { + continue; + } + + panic!("dangling witness:\n{}", backtrace); } } } @@ -823,7 +847,7 @@ impl TurboCS { } for cs_index in self.anemoi_constraints_indices.iter() { - for r in 0..14 { + for r in 0..N_ANEMOI_ROUNDS { let a_i = witness[self.get_witness_index(0, cs_index + r)]; let b_i = witness[self.get_witness_index(1, cs_index + r)]; let c_i = witness[self.get_witness_index(2, cs_index + r)]; @@ -1507,11 +1531,20 @@ mod test_turbo_bls12_381 { use noah_algebra::{bls12_381::BLSScalar, prelude::*}; _test_turbo!(BLSScalar, BLSPairingEngine); +} + +#[cfg(test)] +#[cfg(feature = "debug")] +mod test_dangling_witness { + use crate::plonk::constraint_system::TurboCS; + use noah_algebra::{bn254::BN254Scalar, prelude::*}; + use noah_crypto::anemoi_jive::{AnemoiJive, AnemoiJive254}; + + type F = BN254Scalar; #[test] - #[cfg(feature = "debug")] fn test_dangling_witness_without_panic() { - let one = BLSScalar::one(); + let one = F::one(); let two = one.add(&one); let three = one.add(&two); let four = one.add(&three); @@ -1541,32 +1574,34 @@ mod test_turbo_bls12_381 { } #[test] - #[cfg(feature = "debug")] #[should_panic] fn test_dangling_witness_should_panic() { - use noah_crypto::anemoi_jive::{AnemoiJive, AnemoiJive381}; - - let one = BLSScalar::one(); + let one = F::one(); let two = one.add(&one); let three = one.add(&two); let four = one.add(&three); let mut cs = TurboCS::new(); + cs.load_anemoi_jive_parameters::(); let var_0 = cs.new_variable(one); let var_1 = cs.new_variable(two); let var_2 = cs.new_variable(three); let var_3 = cs.new_variable(four); - let trace = AnemoiJive381::eval_variable_length_hash_with_trace(&[one, two, three, four]); + let trace = AnemoiJive254::eval_variable_length_hash_with_trace(&[one, two, three, four]); let comm = trace.output; let comm_var = cs.new_variable(comm); cs.prepare_pi_variable(comm_var); let h_var = cs.new_variable(comm); - cs.anemoi_variable_length_hash(&trace, &[var_0, var_1, var_2, var_3], h_var); + cs.anemoi_variable_length_hash::( + &trace, + &[var_0, var_1, var_2, var_3], + h_var, + ); // This step is intentionally omitted. - // cs.equal(comm_var, h_var) + // cs.equal(comm_var, h_var); cs.pad() } }