# TLS handshake circuit 5
# Compute ghash H, gctr block, encrypted counter block, verify_data - needed for Server Finished

16 3170
2 672 960

# notary inputs
#  256: outer hash state for p1
#  128: swk share
#  32 : swiv share
#  128: mask1 for H^1
#  128: mask2 for gctr block

# client inputs
#  256: inner hash state for p1
#  128: swk share
#  32:  siv share
#  64:  server_finished nonce
#  128: mask1 for H^1
#  128: mask2 for gctr block
#  128: mask3 for enc counter
#  96 : mask4 for verify_data

1 480

# all outputs go to the evaluator
# 128: H^1 masked twice (by mask1)
# 128: gctr block masked twice (by mask2)
# 128: enc counter masked by client
# 96 : server_verify masked by client

2 1 0 0 1632 XOR # 0
1 1 1632 1633 INV # 1

# pad outer hash digest as the last chunk of sha256
# total length of bits in outer sha256: L == 512+256 ==768 should be the last 64 bits
# 768 in binary is 0000 0011 0000 0000
# to be hashed: 256 bits inner hash digest + 1 + 191 bits of 0 + 48 bits of 0 + 0000 0011 0000 0000
# the 96 upperremost bits of the result is verify_data
768 256 [1632*8] 1633 1633 [1632*245] 1633 [672|>256] [0|>256] [1634|>256] sha256.txt

#unmask swk
256 128 [256|>128] [928|>128] [1890|>128] xor128bits.casm

#unmask siv
64 32 [384|>32] [1056|>32] [2018|>32] xor32bits.casm

# get encrypted zero - gcm H
256 128 [1890|>128] [1632*128] [2050|>128] aes-128-reverse.txt

# gctr block = server_write_IV + server_finished nonce + [0*31] + 1
256 128 [1890|>128] 1633 [1632*31] [1088|>64] [2018|>32] [2178|>128] aes-128-reverse.txt

# encrypt counter = server_write_IV + server_finished nonce + 2 (4 bytes)
256 128 [1890|>128] 1632 1633 [1632*30] [1088|>64] [2018|>32] [2306|>128] aes-128-reverse.txt

# apply notary's mask on outputs
256 128 [2050|>128] [416|>128] [2434|>128] xor128bits.casm
256 128 [2178|>128] [544|>128] [2562|>128] xor128bits.casm

# apply clients mask on outputs
256 128 [2434|>128] [1152|>128] [2690|>128] xor128bits.casm
256 128 [2562|>128] [1280|>128] [2818|>128] xor128bits.casm

256 128 [2306|>128] [1408|>128] [2946|>128] xor128bits.casm
64 32 [1794|>32] [1536|>32] [3074|>32] xor32bits.casm
64 32 [1826|>32] [1568|>32] [3106|>32] xor32bits.casm
64 32 [1858|>32] [1600|>32] [3138|>32] xor32bits.casm