add sha1 and rename constants

2026-04-27 03:01:15 -04:00 · 2024-09-16 17:00:47 +02:00
parent 8eb1115e9a
commit 23515d1e7b
8 changed files with 449 additions and 0 deletions
--- a/circuits/circuits/utils/sha1/constants.circom
+++ b/circuits/circuits/utils/sha1/constants.circom
@@ -0,0 +1,53 @@
+pragma circom 2.1.3;
+
+include "../node_modules/circomlib/circuits/bitify.circom";
+
+template H_sha1(x) {
+
+    signal output out[32];
+    var c[5] = [
+        0x67452301,
+        0xefcdab89,
+        0x98badcfe,
+        0x10325476,
+        0xc3d2e1f0
+    ];
+
+    component bitify = Num2Bits(32);
+    bitify.in <== c[x];
+
+    for (var k=0; k<32; k++) {
+        out[k] <== bitify.out[31-k];
+    }
+
+}
+
+template K_sha1(t) {
+    signal output out[32];
+    var k[4] = [0x5a827999, 0x6ed9eba1, 0x8f1bbcdc, 0xca62c1d6];
+
+    component bitify = Num2Bits(32);
+
+    var i;
+
+    if (0 <= t && t <= 19) {
+        bitify.in <== k[0];
+    }
+
+    if (20 <= t && t <= 39) {
+        bitify.in <== k[1];
+    }     
+
+    if (40 <= t && t <= 59) {
+        bitify.in <== k[2];
+    } 
+            
+    if (60 <= t && t <= 79) {
+        bitify.in <== k[3];
+    }
+
+    for (var k=0; k<32; k++) {
+        out[k] <== bitify.out[31-k];
+    }
+
+}
--- a/circuits/circuits/utils/sha1/f.circom
+++ b/circuits/circuits/utils/sha1/f.circom
@@ -0,0 +1,64 @@
+pragma circom 2.1.3;
+
+include "./parity.circom";
+include "../node_modules/circomlib/circuits/sha256/maj.circom";
+include "../node_modules/circomlib/circuits/sha256/ch.circom";
+
+template f_t(t) {
+
+     signal input b[32];
+     signal input c[32];
+     signal input d[32];
+     signal output out[32];
+
+     component maj = Maj_t(32);    
+     component parity = Parity_t(32);
+     component ch = Ch_t(32);
+
+     var k;
+     
+
+     // ch(x, y, z)
+     for (k=0; k<32; k++) {
+          ch.a[k] <== b[k];
+          ch.b[k] <== c[k];
+          ch.c[k] <== d[k];
+     }
+
+     // parity(x, y, z)
+     for (k=0; k < 32; k++) {
+          parity.a[k] <== b[k];
+          parity.b[k] <== c[k];
+          parity.c[k] <== d[k];
+     }
+
+     // maj(x, y, z)
+     for (k=0; k<32; k++) {
+          maj.a[k] <== b[k];
+          maj.b[k] <== c[k];
+          maj.c[k] <== d[k];
+     }
+
+     if (t <= 19) {
+          for (k=0; k <32; k++) {
+               out[k] <== ch.out[k];
+          }
+
+     } else {
+
+          if (t <= 39 || t >= 60) {
+               
+               for (k=0; k < 32; k++) {
+                    out[k] <== parity.out[k];
+               }
+
+          } else {
+
+               for (k=0; k<32; k++) {
+                    out[k] <== maj.out[k];
+               }
+               
+          }
+     }
+
+}
--- a/circuits/circuits/utils/sha1/parity.circom
+++ b/circuits/circuits/utils/sha1/parity.circom
@@ -0,0 +1,23 @@
+pragma circom 2.1.3;
+
+include "../node_modules/circomlib/circuits/sha256/xor3.circom";
+
+template Parity_t(n) {
+     signal input a[n];
+     signal input b[n];
+     signal input c[n];
+     signal output out[n];
+
+     component xor3 = Xor3(32);
+     var k;
+
+     for (k=0; k<32; k++) {
+          xor3.a[k] <== a[k];
+          xor3.b[k] <== b[k];
+          xor3.c[k] <== c[k];
+     }
+
+     for (k=0; k<32; k++) {
+          out[k] <== xor3.out[k];
+     }
+}
--- a/circuits/circuits/utils/sha1/rotate.circom
+++ b/circuits/circuits/utils/sha1/rotate.circom
@@ -0,0 +1,10 @@
+pragma circom 2.1.3;
+
+template RotL(n, l) {
+    signal input in[n];
+    signal output out[n];
+
+    for (var i=(n-1); i >= 0; i--) {
+        out[i] <== in[ (i+l)%n ];
+    }
+}
--- a/circuits/circuits/utils/sha1/sha1.circom
+++ b/circuits/circuits/utils/sha1/sha1.circom
@@ -0,0 +1,74 @@
+pragma circom 2.1.3;
+
+include "constants.circom";
+include "sha1compression.circom";
+
+template Sha1(nBits) {
+    signal input in[nBits];
+    signal output out[160];
+
+    var i;
+    var k;
+    var nBlocks;
+    var bitsLastBlock;
+
+    nBlocks = ((nBits + 64) \ 512) + 1;    
+
+    signal paddedIn[nBlocks * 512];
+
+    for (k=0; k<nBits; k++) {
+        paddedIn[k] <== in[k];
+    }
+
+    paddedIn[nBits] <== 1;
+
+    for (k=nBits+1; k<nBlocks*512-64; k++) {
+        paddedIn[k] <== 0;
+    }   
+
+    for (k = 0; k< 64; k++) {
+        paddedIn[nBlocks*512 - k -1] <== (nBits >> k)&1;
+    }
+
+    component ha0 = H_sha1(0);
+    component hb0 = H_sha1(1);
+    component hc0 = H_sha1(2);
+    component hd0 = H_sha1(3);
+    component he0 = H_sha1(4);
+
+    component sha1compression[nBlocks];
+    
+    for (i=0; i<nBlocks; i++) {
+        
+        sha1compression[i] = Sha1compression();
+
+        if (i==0) {
+            for (k=0; k<32; k++) {
+                sha1compression[i].hin[0*32+k] <== ha0.out[k];
+                sha1compression[i].hin[1*32+k] <== hb0.out[k];
+                sha1compression[i].hin[2*32+k] <== hc0.out[k];
+                sha1compression[i].hin[3*32+k] <== hd0.out[k];
+                sha1compression[i].hin[4*32+k] <== he0.out[k];
+            }
+        } else {
+            for (k=0; k<32; k++) {
+                sha1compression[i].hin[32*0+k] <== sha1compression[i-1].out[32*0+31-k];
+                sha1compression[i].hin[32*1+k] <== sha1compression[i-1].out[32*1+31-k];
+                sha1compression[i].hin[32*2+k] <== sha1compression[i-1].out[32*2+31-k];
+                sha1compression[i].hin[32*3+k] <== sha1compression[i-1].out[32*3+31-k];
+                sha1compression[i].hin[32*4+k] <== sha1compression[i-1].out[32*4+31-k];
+            } 
+        }
+
+        for (k=0; k<512; k++) {
+            sha1compression[i].inp[k] <== paddedIn[i*512+k];
+        }
+        
+    }
+
+    for (i=0; i<5; i++) {
+        for (k = 0; k < 32; k++) {
+            out[32*i + k] <== sha1compression[nBlocks-1].out[32*i + (31-k)];
+        }
+    }
+}
--- a/circuits/circuits/utils/sha1/sha1compression.circom
+++ b/circuits/circuits/utils/sha1/sha1compression.circom
@@ -0,0 +1,127 @@
+pragma circom 2.1.3;
+
+include "./rotate.circom";  
+include "./xor4.circom";
+include "./constants.circom";
+include "./t.circom";
+
+template Sha1compression() {
+
+    signal input hin[160];
+    signal input inp[512];
+    signal output out[160];
+
+    signal a[81][32];
+    signal b[81][32];
+    signal c[81][32];
+    signal d[81][32];
+    signal e[81][32];
+    signal w[80][32];
+
+    var i;
+
+    component rotl_1[64];
+    for (i=0; i<64; i++) rotl_1[i] = RotL(32, 1);
+    
+    component xor4[64];
+    for (i=0; i<64; i++) xor4[i] = Xor4(32);
+
+    component rotl_30[80];
+    for (i=0; i<=79; i++) rotl_30[i] = RotL(32, 30);
+
+    component K_t[80];
+    for (i=0; i<=79; i++) K_t[i] = K_sha1(i);
+
+    component t_tmp[80];
+    for (i=0; i<=79; i++) t_tmp[i] = T(i);
+
+    component fsum[5];
+    for (i=0; i<5; i++) fsum[i] = BinSum(32, 2);
+    
+    var k;
+    var t;
+
+    for (t=0; t<=15; t++) {
+        for (k=0; k<32; k++) {
+            w[t][k] <== inp[t*32+k];
+        }
+    }
+
+    for (t=16; t<=79; t++) {
+        for (k=0; k<32; k++) {
+            xor4[t-16].a[k] <== w[t-3][k];
+            xor4[t-16].b[k] <== w[t-8][k];
+            xor4[t-16].c[k] <== w[t-14][k];
+            xor4[t-16].d[k] <== w[t-16][k];
+        }
+        for (k=0; k<32; k++) {
+            rotl_1[t-16].in[k] <== xor4[t-16].out[k];
+        }
+        for (k=0; k<32; k++) {
+            w[t][k] <== rotl_1[t-16].out[k];
+        }
+    }
+
+
+    // Initialize five working variables
+    for (k=0; k<32; k++) {
+        a[0][k] <== hin[k];
+        b[0][k] <== hin[32*1 + k];
+        c[0][k] <== hin[32*2 + k];
+        d[0][k] <== hin[32*3 + k];
+        e[0][k] <== hin[32*4 + k];
+    }
+
+    for (t=0; t<=79; t++) {
+
+        for (k=0; k<32; k++) {
+            t_tmp[t].a[k] <== a[t][k];
+            t_tmp[t].b[k] <== b[t][k];
+            t_tmp[t].c[k] <== c[t][k];
+            t_tmp[t].d[k] <== d[t][k];
+            t_tmp[t].e[k] <== e[t][k];
+            t_tmp[t].k_t[k] <== K_t[t].out[k];
+            t_tmp[t].w[k] <== w[t][k];
+
+            rotl_30[t].in[k] <== b[t][k];            
+        }
+
+        for (k=0; k<32; k++) {
+            e[t+1][k] <== d[t][k];
+            d[t+1][k] <== c[t][k];
+            c[t+1][k] <== rotl_30[t].out[k];
+            b[t+1][k] <== a[t][k];            
+            a[t+1][k] <== t_tmp[t].out[k];
+        }
+
+
+    }
+
+    for (k=0; k<32; k++) {
+
+        fsum[0].in[0][k] <== hin[31*1-k];
+        fsum[0].in[1][k] <== a[80][31-k];
+        
+        fsum[1].in[0][k] <== hin[31*2-k+1];
+        fsum[1].in[1][k] <== b[80][31-k];
+
+        fsum[2].in[0][k] <== hin[31*3-k+2];
+        fsum[2].in[1][k] <== c[80][31-k];
+        
+        fsum[3].in[0][k] <== hin[31*4-k+3];
+        fsum[3].in[1][k] <== d[80][31-k];
+        
+        fsum[4].in[0][k] <== hin[31*5-k+4];
+        fsum[4].in[1][k] <== e[80][31-k];
+
+    } 
+
+    for (k=0; k<32; k++) {
+        out[k] <== fsum[0].out[k];
+        out[k+32*1] <== fsum[1].out[k];
+        out[k+32*2] <== fsum[2].out[k];
+        out[k+32*3] <== fsum[3].out[k];
+        out[k+32*4] <== fsum[4].out[k];
+    }
+
+}
--- a/circuits/circuits/utils/sha1/t.circom
+++ b/circuits/circuits/utils/sha1/t.circom
@@ -0,0 +1,69 @@
+pragma circom 2.1.3;
+
+include "./rotate.circom";
+include "circomlib/circuits/binsum.circom";
+include "circomlib/circuits/comparators.circom";
+include "./f.circom";
+include "./constants.circom";
+
+template T(t) {
+     signal input a[32];
+     signal input b[32];
+     signal input c[32];
+     signal input d[32];
+     signal input e[32];
+     signal input k_t[32];
+     signal input w[32];
+
+     signal output out[32];
+
+     component rotatel_5 = RotL(32, 5);
+     component f = f_t(t);
+
+     var k;
+     for (k=0; k<32; k++) {
+          rotatel_5.in[k] <== a[k];
+          f.b[k] <== b[k];
+          f.c[k] <== c[k];
+          f.d[k] <== d[k];
+     }
+
+     component sum_binary = BinSum(32, 5);
+     var nout = 35; // in BinSum: nbits((2**32 -1)*5);
+
+     for (k=0; k<32; k++) {
+          sum_binary.in[0][k] <== rotatel_5.out[31-k];
+          sum_binary.in[1][k] <== f.out[31-k];
+          sum_binary.in[2][k] <== e[31-k];
+          sum_binary.in[3][k] <== k_t[31-k];
+          sum_binary.in[4][k] <== w[31-k];
+     }
+
+     component sum = Bits2Num(nout);
+     for (k=0; k<nout; k++) {
+          sum.in[k] <== sum_binary.out[k];
+     }
+
+     // perform sum modulo 32
+     signal sum_modulo;
+     signal quotient;
+     component less_than = LessThan(33);
+
+     sum_modulo <-- sum.out % 2**32;
+     quotient <-- sum.out \ 2**32;
+
+     less_than.in[0] <== sum_modulo;
+     less_than.in[1] <== 2**32;
+
+     sum.out === quotient*2**32 + sum_modulo;
+     1 === less_than.out;
+     
+     // reconvert to bit array
+     component sum_binary_modulo = Num2Bits(32);
+     sum_binary_modulo.in <== sum_modulo; 
+
+     for (k=0; k<32; k++) {
+          out[k] <== sum_binary_modulo.out[31-k];
+     }
+
+}
--- a/circuits/circuits/utils/sha1/xor4.circom
+++ b/circuits/circuits/utils/sha1/xor4.circom
@@ -0,0 +1,29 @@
+pragma circom 2.1.3;
+
+template Xor4(n) {
+    signal input a[n];
+    signal input b[n];
+    signal input c[n];
+    signal input d[n];
+
+    signal mid[n];
+    signal a_temp[n];
+    
+    signal output out[n];
+    
+    /*
+    xor3: 
+    mid = b*c
+    out_xor3 = a*( 1 - 2*b -2*c + 4*mid ) + b + c - 2 * mid
+
+    xor4:
+    a ^ b ^ c ^ d
+    out_xor4 = out_xor3 - 2*d*out_xor3 + d
+    */
+
+    for (var k=0; k<n; k++) {
+        mid[k] <== b[k]*c[k];
+        a_temp[k] <== a[k] * (1 -2*b[k]  -2*c[k] +4*mid[k]) + b[k] + c[k] -2*mid[k];
+        out[k] <== a_temp[k] -2*d[k]*a_temp[k] + d[k];
+    }
+}