mirror of
https://github.com/selfxyz/self.git
synced 2026-04-27 03:01:15 -04:00
update comments and remove unused codes
This commit is contained in:
seshanthS
@@ -74,6 +74,12 @@ template Mgf1Sha512(seedLen, maskLen) { //in bytes
|
||||
}
|
||||
}
|
||||
|
||||
/// @title MGF1 with SHA-384
|
||||
/// @notice Implements MGF1 using SHA-384 as the underlying hash function
|
||||
/// @param seedLen Length of the input seed in bytes
|
||||
/// @param maskLen Desired length of the output mask in bytes
|
||||
/// @input seed Input seed value as array of bits
|
||||
/// @output out Generated mask as array of bits
|
||||
template Mgf1Sha384(SEED_LEN, MASK_LEN) { //in bytes
|
||||
var SEED_LEN_BITS = SEED_LEN * 8;
|
||||
var MASK_LEN_BITS = MASK_LEN * 8;
|
||||
@@ -127,6 +133,12 @@ template Mgf1Sha384(SEED_LEN, MASK_LEN) { //in bytes
|
||||
}
|
||||
}
|
||||
|
||||
/// @title MGF1 with SHA-256
|
||||
/// @notice Implements MGF1 using SHA-256 as the underlying hash function
|
||||
/// @param seedLen Length of the input seed in bytes
|
||||
/// @param maskLen Desired length of the output mask in bytes
|
||||
/// @input seed Input seed value as array of bits
|
||||
/// @output out Generated mask as array of bits
|
||||
template Mgf1Sha256(SEED_LEN, MASK_LEN) { //in bytes
|
||||
var SEED_LEN_BITS = SEED_LEN * 8;
|
||||
var MASK_LEN_BITS = MASK_LEN * 8;
|
||||
@@ -192,134 +204,3 @@ template Mgf1Sha256(SEED_LEN, MASK_LEN) { //in bytes
|
||||
out[i] <== hashed[i];
|
||||
}
|
||||
}
|
||||
|
||||
// pragma circom 2.1.9;
|
||||
|
||||
// include "circom-dl/circuits/bitify/bitify.circom";
|
||||
// include "../sha2/sha256/sha256_hash_bits.circom";
|
||||
// include "../sha2/sha384/sha384_hash_bits.circom";
|
||||
|
||||
// template Mgf1Sha384(seedLen, maskLen) { //in bytes
|
||||
// var seedLenBits = seedLen * 8;
|
||||
// var maskLenBits = maskLen * 8;
|
||||
// var hashLen = 48; //output len of sha function in bytes
|
||||
// var hashLenBits = hashLen * 8;//output len of sha function in bits
|
||||
|
||||
// signal input seed[seedLenBits]; //each represents a bit
|
||||
// signal output out[maskLenBits];
|
||||
|
||||
// assert(maskLen <= 0xffffffff * hashLen );
|
||||
// var iterations = (maskLen \ hashLen) + 1; //adding 1, in-case maskLen \ hashLen is 0
|
||||
// component sha384[iterations];
|
||||
// component num2Bits[iterations];
|
||||
|
||||
// for (var i = 0; i < iterations; i++) {
|
||||
// sha384[i] = Sha384_hash_chunks(1); //32 bits for counter
|
||||
// num2Bits[i] = Num2Bits(32);
|
||||
// }
|
||||
|
||||
// var concated[1024]; //seed + 32 bits(4 Bytes) for counter
|
||||
// signal hashed[hashLenBits * (iterations)];
|
||||
|
||||
// for (var i = 0; i < seedLenBits; i++) {
|
||||
// concated[i] = seed[i];
|
||||
// }
|
||||
|
||||
// for (var i = 0; i < iterations; i++) {
|
||||
// num2Bits[i].in <== i; //convert counter to bits
|
||||
|
||||
// for (var j = 0; j < 32; j++) {
|
||||
// //concat seed and counter
|
||||
// concated[seedLenBits + j] = num2Bits[i].out[31-j];
|
||||
// }
|
||||
|
||||
// //adding padding (len = 416 = 110100000)
|
||||
// for (var j = 417; j < 1015; j++){
|
||||
// concated[j] = 0;
|
||||
// }
|
||||
// concated[416] = 1;
|
||||
// concated[1023] = 0;
|
||||
// concated[1022] = 0;
|
||||
// concated[1021] = 0;
|
||||
// concated[1020] = 0;
|
||||
// concated[1019] = 0;
|
||||
// concated[1018] = 1;
|
||||
// concated[1017] = 0;
|
||||
// concated[1016] = 1;
|
||||
// concated[1015] = 1;
|
||||
|
||||
// //hashing value
|
||||
// sha384[i].in <== concated;
|
||||
|
||||
// for (var j = 0; j < hashLenBits; j++) {
|
||||
// hashed[i * hashLenBits + j] <== sha384[i].out[j];
|
||||
// }
|
||||
// }
|
||||
|
||||
// for (var i = 0; i < maskLenBits; i++) {
|
||||
// out[i] <== hashed[i];
|
||||
// }
|
||||
// }
|
||||
|
||||
// template Mgf1Sha256(seedLen, maskLen) { //in bytes
|
||||
// var seedLenBits = seedLen * 8;
|
||||
// var maskLenBits = maskLen * 8;
|
||||
// var hashLen = 32; //output len of sha function in bytes
|
||||
// var hashLenBits = hashLen * 8;//output len of sha function in bits
|
||||
|
||||
// signal input seed[seedLenBits]; //each represents a bit
|
||||
// signal output out[maskLenBits];
|
||||
|
||||
// assert(maskLen <= 0xffffffff * hashLen );
|
||||
// var iterations = (maskLen \ hashLen) + 1; //adding 1, in-case maskLen \ hashLen is 0
|
||||
|
||||
// component sha256[iterations];
|
||||
// component num2Bits[iterations];
|
||||
|
||||
// for (var i = 0; i < iterations; i++) {
|
||||
// sha256[i] = Sha256_hash_chunks(1);
|
||||
// num2Bits[i] = Num2Bits(32);
|
||||
// }
|
||||
|
||||
// var concated[512]; //seed + 32 bits(4 Bytes) for counter
|
||||
// signal hashed[hashLenBits * (iterations)];
|
||||
|
||||
// for (var i = 0; i < seedLenBits; i++) {
|
||||
// concated[i] = seed[i];
|
||||
// }
|
||||
|
||||
// for (var i = 0; i < iterations; i++) {
|
||||
// num2Bits[i].in <== i; //convert counter to bits
|
||||
|
||||
// for (var j = 0; j < 32; j++) {
|
||||
// //concat seed and counter
|
||||
// concated[seedLenBits + j] = num2Bits[i].out[31-j];
|
||||
// }
|
||||
|
||||
// //adding padding (len = 288 = 100100000)
|
||||
// for (var j = 289; j < 503; j++){
|
||||
// concated[j] = 0;
|
||||
// }
|
||||
// concated[288] = 1;
|
||||
// concated[511] = 0;
|
||||
// concated[510] = 0;
|
||||
// concated[509] = 0;
|
||||
// concated[508] = 0;
|
||||
// concated[507] = 0;
|
||||
// concated[506] = 1;
|
||||
// concated[505] = 0;
|
||||
// concated[504] = 0;
|
||||
// concated[503] = 1;
|
||||
|
||||
// //hashing value
|
||||
// sha256[i].in <== concated;
|
||||
|
||||
// for (var j = 0; j < hashLenBits; j++) {
|
||||
// hashed[i * hashLenBits + j] <== sha256[i].out[j];
|
||||
// }
|
||||
// }
|
||||
|
||||
// for (var i = 0; i < maskLenBits; i++) {
|
||||
// out[i] <== hashed[i];
|
||||
// }
|
||||
// }
|
||||
|
||||
@@ -6,18 +6,6 @@ include "../../bitify/gates.circom";
|
||||
include "../../hasher/hash.circom";
|
||||
include "../FpPowMod.circom";
|
||||
|
||||
/*
|
||||
* Verification for RSAPSS signature.
|
||||
* hashed is hashed message of hash_type algo, hash_type is algo hash algo for mgf1 mask generation.
|
||||
* There is no assert for CHUNK_SIZE == 64 and it may work with other chunking, but this one wasn`t tested,
|
||||
* so better use 64 signature and pubkey - chunked numbers (CHUNK_SIZE, CHUNK_NUMBER).
|
||||
* default exp = 65537
|
||||
* SALT_LEN is salt lenght in bytes! (NOT IN BITES LIKE HASH_TYPE!).
|
||||
* This is because salt len can`t be % 8 != 0 so we use bytes len (8 bites).
|
||||
* For now, only HASH_TYPE == 384 && SALT_LEN == 48, HASH_TYPE == 256 && SALT_LEN == 64, HASH_TYPE == 256 && SALT_LEN == 32 cases supported.
|
||||
* Use this for CHUNK_NUMBER == 2**n, otherwise error will occur.
|
||||
*/
|
||||
|
||||
/*
|
||||
* RSA-PSS (Probabilistic Signature Scheme) Signature Verification
|
||||
* ============================================================
|
||||
@@ -32,7 +20,7 @@ include "../FpPowMod.circom";
|
||||
* 4. Verifies the signature using MGF1 mask generation and hash comparison
|
||||
*
|
||||
* Parameters:
|
||||
* - CHUNK_SIZE: Size of each chunk in bits (recommended: 120)
|
||||
* - CHUNK_SIZE: Size of each chunk in bits (recommended: 64)
|
||||
* - CHUNK_NUMBER: Number of chunks in modulus (must be 2^n)
|
||||
* - SALT_LEN: Salt length in bytes
|
||||
* - HASH_TYPE: Hash function output size in bits (256/384/512)
|
||||
@@ -52,6 +40,8 @@ include "../FpPowMod.circom";
|
||||
* Important Notes:
|
||||
* - CHUNK_NUMBER must be a power of 2 (2^n)
|
||||
* - Salt length is specified in bytes (not bits)
|
||||
* - The signature and EM length is bounded by the public key modulus length (KEY_LENGTH). This is because RSA signatures are computed using modular exponentiation with the public key modulus (n)
|
||||
* - The KEY_LENGTH parameter represents this modulus length in bits.
|
||||
*/
|
||||
|
||||
/// @title RSA-PSS Signature Verification Circuit
|
||||
@@ -221,6 +211,7 @@ template VerifyRsaPss3Sig(CHUNK_SIZE, CHUNK_NUMBER, SALT_LEN, HASH_TYPE, KEY_LEN
|
||||
mDash[i] <== 0;
|
||||
}
|
||||
|
||||
//sha256 padding
|
||||
mDash[576] <== 1;
|
||||
mDash[1023] <== 0;
|
||||
mDash[1022] <== 0;
|
||||
|
||||
@@ -7,19 +7,55 @@ include "../../hasher/hash.circom";
|
||||
include "../FpPowMod.circom";
|
||||
|
||||
/*
|
||||
* Verification for RSAPSS signature.
|
||||
* hashed is hashed message of hash_type algo, hash_type is algo hash algo for mgf1 mask generation.
|
||||
* There is no assert for CHUNK_SIZE == 64 and it may work with other chunking, but this one wasn`t tested,
|
||||
* so better use 64 signature and pubkey - chunked numbers (CHUNK_SIZE, CHUNK_NUMBER).
|
||||
* default exp = 65537
|
||||
* SALT_LEN is salt lenght in bytes! (NOT IN BITES LIKE HASH_TYPE!).
|
||||
* This is because salt len can`t be % 8 != 0 so we use bytes len (8 bites).
|
||||
* For now, only HASH_TYPE == 384 && SALT_LEN == 48, HASH_TYPE == 256 && SALT_LEN == 64, HASH_TYPE == 256 && SALT_LEN == 32 cases supported.
|
||||
* Use this for CHUNK_NUMBER == 2**n, otherwise error will occur.
|
||||
|
||||
* Singature length will not exceed the modulus length of the public key (which is the keylength), because the signature is
|
||||
* calculated as mod Modulus_of_pubkey .
|
||||
* RSA-PSS (Probabilistic Signature Scheme) Signature Verification
|
||||
* ============================================================
|
||||
*
|
||||
* This template implements RSA-PSS signature verification according to PKCS#1 v2.2 (RFC 8017).
|
||||
* https://www.rfc-editor.org/rfc/rfc8017#section-9.1.2
|
||||
* It verifies that a signature is valid for a given message and public key.
|
||||
*
|
||||
* Process Overview:
|
||||
* 1. Computes s^e mod n where s is the signature, e is public exponent (65537), n is modulus
|
||||
* 2. Validates the encoded message format
|
||||
* 3. Extracts the salt and hash from the encoded message
|
||||
* 4. Verifies the signature using MGF1 mask generation and hash comparison
|
||||
*
|
||||
* Parameters:
|
||||
* - CHUNK_SIZE: Size of each chunk in bits (recommended: 64)
|
||||
* - CHUNK_NUMBER: Number of chunks in modulus (must be 2^n)
|
||||
* - SALT_LEN: Salt length in bytes
|
||||
* - HASH_TYPE: Hash function output size in bits (256/384/512)
|
||||
* - KEY_LENGTH: RSA key length in bits
|
||||
*
|
||||
* Supported Configurations:
|
||||
* - SHA-512 with 64-byte salt
|
||||
* - SHA-384 with 48-byte salt
|
||||
* - SHA-256 with 64-byte salt
|
||||
* - SHA-256 with 32-byte salt
|
||||
*
|
||||
* Inputs:
|
||||
* - pubkey[CHUNK_NUMBER]: Public key modulus split into chunks
|
||||
* - signature[CHUNK_NUMBER]: RSA signature split into chunks
|
||||
* - hashed[HASH_TYPE]: Hash of the original message
|
||||
*
|
||||
* Important Notes:
|
||||
* - CHUNK_NUMBER must be a power of 2 (2^n)
|
||||
* - Salt length is specified in bytes (not bits)
|
||||
* - The signature and EM length is bounded by the public key modulus length (KEY_LENGTH). This is because RSA signatures are computed using modular exponentiation with the public key modulus (n)
|
||||
* - The KEY_LENGTH parameter represents this modulus length in bits.
|
||||
*/
|
||||
|
||||
/// @title RSA-PSS Signature Verification Circuit
|
||||
/// @notice Verifies RSA-PSS signatures according to PKCS#1 v2.1
|
||||
/// @dev Implements core RSA-PSS verification logic including MGF1 mask generation
|
||||
/// @param CHUNK_SIZE Size of each chunk in bits (recommended: 120)
|
||||
/// @param CHUNK_NUMBER Number of chunks in modulus (must be 2^n)
|
||||
/// @param SALT_LEN Salt length in bytes
|
||||
/// @param HASH_TYPE Hash function output size in bits (256/384/512)
|
||||
/// @param KEY_LENGTH RSA key length in bits
|
||||
/// @input pubkey The public key modulus split into chunks
|
||||
/// @input signature The RSA signature split into chunks
|
||||
/// @input hashed The hash of the original message
|
||||
template VerifyRsaPss65537Sig(CHUNK_SIZE, CHUNK_NUMBER, SALT_LEN, HASH_TYPE, KEY_LENGTH) {
|
||||
assert((HASH_TYPE == 384 && SALT_LEN == 48) || (HASH_TYPE == 256 && SALT_LEN == 64) || (HASH_TYPE == 256 && SALT_LEN == 32));
|
||||
|
||||
|
||||
Reference in New Issue
Block a user