diff --git a/Cargo.lock b/Cargo.lock index 7a67499c8f..9d98ddba1a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -342,9 +342,9 @@ dependencies = [ [[package]] name = "alloy-chains" -version = "0.2.29" +version = "0.2.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef3a72a2247c34a8545ee99e562b1b9b69168e5000567257ae51e91b4e6b1193" +checksum = "90f374d3c6d729268bbe2d0e0ff992bb97898b2df756691a62ee1d5f0506bc39" dependencies = [ "alloy-primitives", "num_enum", @@ -714,9 +714,9 @@ dependencies = [ [[package]] name = "alloy-rlp" -version = "0.3.12" +version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f70d83b765fdc080dbcd4f4db70d8d23fe4761f2f02ebfa9146b833900634b4" +checksum = "e93e50f64a77ad9c5470bf2ad0ca02f228da70c792a8f06634801e202579f35e" dependencies = [ "alloy-rlp-derive", "arrayvec", @@ -725,9 +725,9 @@ dependencies = [ [[package]] name = "alloy-rlp-derive" -version = "0.3.12" +version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "64b728d511962dda67c1bc7ea7c03736ec275ed2cf4c35d9585298ac9ccf3b73" +checksum = "ce8849c74c9ca0f5a03da1c865e3eb6f768df816e67dd3721a398a8a7e398011" dependencies = [ "proc-macro2", "quote", @@ -971,9 +971,9 @@ dependencies = [ [[package]] name = "alloy-sol-type-parser" -version = "1.5.2" +version = "1.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af67a0b0dcebe14244fc92002cd8d96ecbf65db4639d479f5fcd5805755a4c27" +checksum = "94b91b13181d3bcd23680fd29d7bc861d1f33fbe90fdd0af67162434aeba902d" dependencies = [ "serde", "winnow", @@ -2010,9 +2010,9 @@ checksum = "7575182f7272186991736b70173b0ea045398f984bf5ebbb3804736ce1330c9d" [[package]] name = "bytemuck" -version = "1.24.0" +version = "1.25.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1fbdf580320f38b612e485521afda1ee26d10cc9884efaaa750d383e13e3c5f4" +checksum = "c8efb64bd706a16a1bdde310ae86b351e4d21550d98d056f22f8a7f7a2183fec" [[package]] name = "byteorder" @@ -2070,9 +2070,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.54" +version = "1.2.55" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6354c81bbfd62d9cfa9cb3c773c2b7b2a3a482d569de977fd0e961f6e7c00583" +checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29" dependencies = [ "find-msvc-tools", "jobserver", @@ -2936,6 +2936,7 @@ dependencies = [ "anyhow", "dirs 5.0.1", "e3-events", + "e3-fhe-params", "figment", "path-clean", "petname", @@ -3315,6 +3316,17 @@ dependencies = [ "thiserror 1.0.69", ] +[[package]] +name = "e3-polynomial" +version = "0.1.8" +source = "git+https://github.com/gnosisguild/enclave?branch=main#ebf6f386dcefd6ab9c5060d4b8932ed1fa1132b9" +dependencies = [ + "num-bigint", + "num-traits", + "serde", + "thiserror 1.0.69", +] + [[package]] name = "e3-program-server" version = "0.1.8" @@ -3336,7 +3348,7 @@ version = "0.1.8" dependencies = [ "anyhow", "e3-fhe-params", - "e3-polynomial", + "e3-polynomial 0.1.8", "e3-zk-helpers", "fhe", "fhe-math", @@ -3389,6 +3401,18 @@ dependencies = [ "taceo-poseidon2", ] +[[package]] +name = "e3-safe" +version = "0.1.8" +source = "git+https://github.com/gnosisguild/enclave#ebf6f386dcefd6ab9c5060d4b8932ed1fa1132b9" +dependencies = [ + "ark-bn254 0.5.0", + "ark-ff 0.5.0", + "hex", + "sha3", + "taceo-poseidon2", +] + [[package]] name = "e3-sdk" version = "0.1.8" @@ -3583,8 +3607,8 @@ version = "0.1.8" dependencies = [ "ark-bn254 0.5.0", "ark-ff 0.5.0", - "e3-polynomial", - "e3-safe", + "e3-polynomial 0.1.8", + "e3-safe 0.1.8", "fhe", "num-bigint", "num-traits", @@ -3937,9 +3961,9 @@ dependencies = [ [[package]] name = "find-msvc-tools" -version = "0.1.8" +version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8591b0bcc8a98a64310a2fae1bb3e9b8564dd10e381e6e28010fde8e8e8568db" +checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" [[package]] name = "fixed-hash" @@ -4647,9 +4671,9 @@ dependencies = [ [[package]] name = "iana-time-zone" -version = "0.1.64" +version = "0.1.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33e57f83510bb73707521ebaffa789ec8caf86f9657cad665b092b581d40e9fb" +checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470" dependencies = [ "android_system_properties", "core-foundation-sys", @@ -5086,9 +5110,9 @@ dependencies = [ [[package]] name = "keccak-asm" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "505d1856a39b200489082f90d897c3f07c455563880bc5952e38eabf731c83b6" +checksum = "b646a74e746cd25045aa0fd42f4f7f78aa6d119380182c7e63a5593c4ab8df6f" dependencies = [ "digest 0.10.7", "sha3-asm", @@ -5149,9 +5173,9 @@ dependencies = [ [[package]] name = "libm" -version = "0.2.15" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9fbbcab51052fe104eb5e5d351cf728d30a5be1fe14d9be8a3b097481fb97de" +checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981" [[package]] name = "libp2p" @@ -6624,17 +6648,6 @@ dependencies = [ "windows-sys 0.61.2", ] -[[package]] -name = "polynomial" -version = "0.1.7" -source = "git+https://github.com/gnosisguild/enclave?branch=main#54db685297b55d517aa86a6005e77e9a0354af02" -dependencies = [ - "num-bigint", - "num-traits", - "serde", - "thiserror 1.0.69", -] - [[package]] name = "polyval" version = "0.6.2" @@ -6649,9 +6662,9 @@ dependencies = [ [[package]] name = "portable-atomic" -version = "1.13.0" +version = "1.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f89776e4d69bb58bc6993e99ffa1d11f228b839984854c7daeb5d37f87cbe950" +checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49" [[package]] name = "potential_utf" @@ -7507,18 +7520,6 @@ version = "1.0.22" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a50f4cf475b65d88e057964e0e9bb1f0aa9bbb2036dc65c64596b42932536984" -[[package]] -name = "safe" -version = "0.1.7" -source = "git+https://github.com/gnosisguild/enclave#54db685297b55d517aa86a6005e77e9a0354af02" -dependencies = [ - "ark-bn254 0.5.0", - "ark-ff 0.5.0", - "hex", - "sha3", - "taceo-poseidon2", -] - [[package]] name = "same-file" version = "1.0.6" @@ -7560,9 +7561,9 @@ dependencies = [ [[package]] name = "schemars" -version = "1.2.0" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54e910108742c57a770f492731f99be216a52fadd361b06c8fb59d74ccc267d2" +checksum = "a2b42f36aa1cd011945615b92222f6bf73c599a102a300334cd7f8dbeec726cc" dependencies = [ "dyn-clone", "ref-cast", @@ -7757,7 +7758,7 @@ dependencies = [ "indexmap 1.9.3", "indexmap 2.13.0", "schemars 0.9.0", - "schemars 1.2.0", + "schemars 1.2.1", "serde", "serde_derive", "serde_json", @@ -7859,9 +7860,9 @@ dependencies = [ [[package]] name = "sha3-asm" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c28efc5e327c837aa837c59eae585fc250715ef939ac32881bcc11677cd02d46" +checksum = "b31139435f327c93c6038ed350ae4588e2c70a13d50599509fee6349967ba35a" dependencies = [ "cc", "cfg-if", @@ -7963,15 +7964,15 @@ checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2" [[package]] name = "siphasher" -version = "1.0.1" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "56199f7ddabf13fe5074ce809e7d3f42b42ae711800501b5b16ea82ad029c39d" +checksum = "b2aa850e253778c88a04c3d7323b043aeda9d3e30d5971937c1855769763678e" [[package]] name = "slab" -version = "0.4.11" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589" +checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5" [[package]] name = "sled" @@ -8109,9 +8110,9 @@ dependencies = [ [[package]] name = "syn-solidity" -version = "1.5.2" +version = "1.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f92d01b5de07eaf324f7fca61cc6bd3d82bbc1de5b6c963e6fe79e86f36580d" +checksum = "2379beea9476b89d0237078be761cf8e012d92d5ae4ae0c9a329f974838870fc" dependencies = [ "paste", "proc-macro2", @@ -9560,18 +9561,18 @@ dependencies = [ [[package]] name = "zerocopy" -version = "0.8.33" +version = "0.8.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "668f5168d10b9ee831de31933dc111a459c97ec93225beb307aed970d1372dfd" +checksum = "7456cf00f0685ad319c5b1693f291a650eaf345e941d082fc4e03df8a03996ac" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.8.33" +version = "0.8.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c7962b26b0a8685668b671ee4b54d007a67d4eaf05fda79ac0ecf41e32270f1" +checksum = "1328722bbf2115db7e19d69ebcc15e795719e2d66b60827c6a69a117365e37a0" dependencies = [ "proc-macro2", "quote", @@ -9665,19 +9666,19 @@ dependencies = [ [[package]] name = "zkfhe-greco" version = "0.1.0" -source = "git+https://github.com/gnosisguild/zkfhe-generator#02131ceea13a9ff154a4d8cdd534261dacbfc724" +source = "git+https://github.com/gnosisguild/zkfhe-generator#31e91b2032c12ef0945f74afac0608f711d25501" dependencies = [ "anyhow", "ark-bn254 0.5.0", "ark-ff 0.5.0", "blake3", + "e3-polynomial 0.1.8 (git+https://github.com/gnosisguild/enclave?branch=main)", "fhe", "fhe-math", "fhe-traits", "itertools 0.14.0", "num-bigint", "num-traits", - "polynomial", "rand 0.8.5", "rayon", "serde", @@ -9690,20 +9691,20 @@ dependencies = [ [[package]] name = "zkfhe-shared" version = "0.1.0" -source = "git+https://github.com/gnosisguild/zkfhe-generator#02131ceea13a9ff154a4d8cdd534261dacbfc724" +source = "git+https://github.com/gnosisguild/zkfhe-generator#31e91b2032c12ef0945f74afac0608f711d25501" dependencies = [ "anyhow", "ark-bn254 0.5.0", "ark-ff 0.5.0", "chrono", + "e3-polynomial 0.1.8 (git+https://github.com/gnosisguild/enclave?branch=main)", + "e3-safe 0.1.8 (git+https://github.com/gnosisguild/enclave)", "fhe", "fhe-math", "fhe-traits", "num-bigint", "num-traits", - "polynomial", "rand 0.8.5", - "safe", "serde", "serde_json", "thiserror 1.0.69", diff --git a/circuits/bin/aggregation/insecure/Nargo.toml b/circuits/bin/aggregation/insecure/Nargo.toml deleted file mode 100644 index 635384631e..0000000000 --- a/circuits/bin/aggregation/insecure/Nargo.toml +++ /dev/null @@ -1,10 +0,0 @@ -[workspace] -members = [ - "pk_trbfv_wrapper", - "verify_shares_trbfv_wrapper", - "enc_bfv_wrapper", - "dec_bfv_wrapper", - "pk_agg_trbfv_wrapper", - "dec_share_trbfv_wrapper", - "dec_shares_agg_trbfv_wrapper", -] \ No newline at end of file diff --git a/circuits/bin/aggregation/insecure/dec_bfv_wrapper/src/main.nr b/circuits/bin/aggregation/insecure/dec_bfv_wrapper/src/main.nr deleted file mode 100644 index 1135d82692..0000000000 --- a/circuits/bin/aggregation/insecure/dec_bfv_wrapper/src/main.nr +++ /dev/null @@ -1,34 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; - -// Number of proofs. -pub global N_PROOFS: u32 = 2; -/// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 11; - -fn main( - verification_key: UltraHonkVerificationKey, - proofs: [UltraHonkProof; N_PROOFS], - public_inputs: pub [[Field; N_PUBLIC_INPUTS]; N_PROOFS], - key_hash: Field, -) -> pub Field { - for i in 0..N_PROOFS { - verify_ultrahonk_proof(verification_key, proofs[i], public_inputs[i], key_hash); - } - - let mut aggregated_public_inputs = Vec::new(); - - for i in 0..N_PROOFS { - for j in 0..N_PUBLIC_INPUTS { - aggregated_public_inputs.push(public_inputs[i][j]); - } - } - - compute_aggregation_commitment(aggregated_public_inputs) -} diff --git a/circuits/bin/aggregation/insecure/dec_shares_agg_trbfv_wrapper/Nargo.toml b/circuits/bin/aggregation/insecure/dec_shares_agg_trbfv_wrapper/Nargo.toml deleted file mode 100644 index 2a78a4a42a..0000000000 --- a/circuits/bin/aggregation/insecure/dec_shares_agg_trbfv_wrapper/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "dec_shares_agg_trbfv_wrapper" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - -[dependencies] -lib = { path = "../../../../lib" } -bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/insecure/verify_shares_trbfv_wrapper/Nargo.toml b/circuits/bin/aggregation/insecure/verify_shares_trbfv_wrapper/Nargo.toml deleted file mode 100644 index 988e16adad..0000000000 --- a/circuits/bin/aggregation/insecure/verify_shares_trbfv_wrapper/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "verify_shares_trbfv_wrapper" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - -[dependencies] -lib = { path = "../../../../lib" } -bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/production/Nargo.toml b/circuits/bin/aggregation/production/Nargo.toml deleted file mode 100644 index cd25cb537a..0000000000 --- a/circuits/bin/aggregation/production/Nargo.toml +++ /dev/null @@ -1,10 +0,0 @@ -[workspace] -members = [ - "pk_trbfv_wrapper", - "verify_shares_trbfv_wrapper", - "enc_bfv_wrapper", - "dec_bfv_wrapper", - "pk_agg_trbfv_wrapper", - "dec_share_trbfv_wrapper", - "dec_shares_agg_trbfv_wrapper" -] \ No newline at end of file diff --git a/circuits/bin/aggregation/production/dec_share_trbfv_wrapper/Nargo.toml b/circuits/bin/aggregation/production/dec_share_trbfv_wrapper/Nargo.toml deleted file mode 100644 index 71d46d5a18..0000000000 --- a/circuits/bin/aggregation/production/dec_share_trbfv_wrapper/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "dec_share_trbfv_wrapper" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - -[dependencies] -lib = { path = "../../../../lib" } -bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/production/dec_share_trbfv_wrapper/src/main.nr b/circuits/bin/aggregation/production/dec_share_trbfv_wrapper/src/main.nr deleted file mode 100644 index 2107ef3c8d..0000000000 --- a/circuits/bin/aggregation/production/dec_share_trbfv_wrapper/src/main.nr +++ /dev/null @@ -1,34 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; - -// Number of proofs. -pub global N_PROOFS: u32 = 1; -/// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 98306; - -fn main( - verification_key: UltraHonkVerificationKey, - proofs: [UltraHonkProof; N_PROOFS], - public_inputs: pub [[Field; N_PUBLIC_INPUTS]; N_PROOFS], - key_hash: Field, -) -> pub Field { - for i in 0..N_PROOFS { - verify_ultrahonk_proof(verification_key, proofs[i], public_inputs[i], key_hash); - } - - let mut aggregated_public_inputs = Vec::new(); - - for i in 0..N_PROOFS { - for j in 0..N_PUBLIC_INPUTS { - aggregated_public_inputs.push(public_inputs[i][j]); - } - } - - compute_aggregation_commitment(aggregated_public_inputs) -} diff --git a/circuits/bin/aggregation/production/dec_shares_agg_trbfv_wrapper/Nargo.toml b/circuits/bin/aggregation/production/dec_shares_agg_trbfv_wrapper/Nargo.toml deleted file mode 100644 index 2a78a4a42a..0000000000 --- a/circuits/bin/aggregation/production/dec_shares_agg_trbfv_wrapper/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "dec_shares_agg_trbfv_wrapper" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - -[dependencies] -lib = { path = "../../../../lib" } -bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/production/dec_shares_agg_trbfv_wrapper/src/main.nr b/circuits/bin/aggregation/production/dec_shares_agg_trbfv_wrapper/src/main.nr deleted file mode 100644 index eeda74714c..0000000000 --- a/circuits/bin/aggregation/production/dec_shares_agg_trbfv_wrapper/src/main.nr +++ /dev/null @@ -1,34 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; - -// Number of proofs. -pub global N_PROOFS: u32 = 1; -/// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 1043; - -fn main( - verification_key: UltraHonkVerificationKey, - proofs: [UltraHonkProof; N_PROOFS], - public_inputs: pub [[Field; N_PUBLIC_INPUTS]; N_PROOFS], - key_hash: Field, -) -> pub Field { - for i in 0..N_PROOFS { - verify_ultrahonk_proof(verification_key, proofs[i], public_inputs[i], key_hash); - } - - let mut aggregated_public_inputs = Vec::new(); - - for i in 0..N_PROOFS { - for j in 0..N_PUBLIC_INPUTS { - aggregated_public_inputs.push(public_inputs[i][j]); - } - } - - compute_aggregation_commitment(aggregated_public_inputs) -} diff --git a/circuits/bin/aggregation/production/enc_bfv_wrapper/src/main.nr b/circuits/bin/aggregation/production/enc_bfv_wrapper/src/main.nr deleted file mode 100644 index 02773b001d..0000000000 --- a/circuits/bin/aggregation/production/enc_bfv_wrapper/src/main.nr +++ /dev/null @@ -1,34 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; - -// Number of proofs. -pub global N_PROOFS: u32 = 2; -/// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 32770; - -fn main( - verification_key: UltraHonkVerificationKey, - proofs: [UltraHonkProof; N_PROOFS], - public_inputs: pub [[Field; N_PUBLIC_INPUTS]; N_PROOFS], - key_hash: Field, -) -> pub Field { - for i in 0..N_PROOFS { - verify_ultrahonk_proof(verification_key, proofs[i], public_inputs[i], key_hash); - } - - let mut aggregated_public_inputs = Vec::new(); - - for i in 0..N_PROOFS { - for j in 0..N_PUBLIC_INPUTS { - aggregated_public_inputs.push(public_inputs[i][j]); - } - } - - compute_aggregation_commitment(aggregated_public_inputs) -} diff --git a/circuits/bin/aggregation/production/pk_agg_trbfv_wrapper/Nargo.toml b/circuits/bin/aggregation/production/pk_agg_trbfv_wrapper/Nargo.toml deleted file mode 100644 index 0b985dd2cc..0000000000 --- a/circuits/bin/aggregation/production/pk_agg_trbfv_wrapper/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "pk_agg_trbfv_wrapper" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - -[dependencies] -lib = { path = "../../../../lib" } -bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/production/pk_agg_trbfv_wrapper/src/main.nr b/circuits/bin/aggregation/production/pk_agg_trbfv_wrapper/src/main.nr deleted file mode 100644 index f56ef89641..0000000000 --- a/circuits/bin/aggregation/production/pk_agg_trbfv_wrapper/src/main.nr +++ /dev/null @@ -1,34 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; - -// Number of proofs. -pub global N_PROOFS: u32 = 1; -/// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 6; - -fn main( - verification_key: UltraHonkVerificationKey, - proofs: [UltraHonkProof; N_PROOFS], - public_inputs: pub [[Field; N_PUBLIC_INPUTS]; N_PROOFS], - key_hash: Field, -) -> pub Field { - for i in 0..N_PROOFS { - verify_ultrahonk_proof(verification_key, proofs[i], public_inputs[i], key_hash); - } - - let mut aggregated_public_inputs = Vec::new(); - - for i in 0..N_PROOFS { - for j in 0..N_PUBLIC_INPUTS { - aggregated_public_inputs.push(public_inputs[i][j]); - } - } - - compute_aggregation_commitment(aggregated_public_inputs) -} diff --git a/circuits/bin/aggregation/production/pk_trbfv_wrapper/Nargo.toml b/circuits/bin/aggregation/production/pk_trbfv_wrapper/Nargo.toml deleted file mode 100644 index 42756d468c..0000000000 --- a/circuits/bin/aggregation/production/pk_trbfv_wrapper/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "pk_trbfv_wrapper" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - -[dependencies] -lib = { path = "../../../../lib" } -bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/production/pk_trbfv_wrapper/src/main.nr b/circuits/bin/aggregation/production/pk_trbfv_wrapper/src/main.nr deleted file mode 100644 index 58a2d2a85b..0000000000 --- a/circuits/bin/aggregation/production/pk_trbfv_wrapper/src/main.nr +++ /dev/null @@ -1,34 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; - -// Number of proofs. -pub global N_PROOFS: u32 = 1; -/// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 32771; - -fn main( - verification_key: UltraHonkVerificationKey, - proofs: [UltraHonkProof; N_PROOFS], - public_inputs: pub [[Field; N_PUBLIC_INPUTS]; N_PROOFS], - key_hash: Field, -) -> pub Field { - for i in 0..N_PROOFS { - verify_ultrahonk_proof(verification_key, proofs[i], public_inputs[i], key_hash); - } - - let mut aggregated_public_inputs = Vec::new(); - - for i in 0..N_PROOFS { - for j in 0..N_PUBLIC_INPUTS { - aggregated_public_inputs.push(public_inputs[i][j]); - } - } - - compute_aggregation_commitment(aggregated_public_inputs) -} diff --git a/circuits/bin/aggregation/production/verify_shares_trbfv_wrapper/Nargo.toml b/circuits/bin/aggregation/production/verify_shares_trbfv_wrapper/Nargo.toml deleted file mode 100644 index 988e16adad..0000000000 --- a/circuits/bin/aggregation/production/verify_shares_trbfv_wrapper/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "verify_shares_trbfv_wrapper" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - -[dependencies] -lib = { path = "../../../../lib" } -bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/production/verify_shares_trbfv_wrapper/src/main.nr b/circuits/bin/aggregation/production/verify_shares_trbfv_wrapper/src/main.nr deleted file mode 100644 index b3a6225c3a..0000000000 --- a/circuits/bin/aggregation/production/verify_shares_trbfv_wrapper/src/main.nr +++ /dev/null @@ -1,34 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; - -// Number of proofs. -pub global N_PROOFS: u32 = 2; -/// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 21; - -fn main( - verification_key: UltraHonkVerificationKey, - proofs: [UltraHonkProof; N_PROOFS], - public_inputs: pub [[Field; N_PUBLIC_INPUTS]; N_PROOFS], - key_hash: Field, -) -> pub Field { - for i in 0..N_PROOFS { - verify_ultrahonk_proof(verification_key, proofs[i], public_inputs[i], key_hash); - } - - let mut aggregated_public_inputs = Vec::new(); - - for i in 0..N_PROOFS { - for j in 0..N_PUBLIC_INPUTS { - aggregated_public_inputs.push(public_inputs[i][j]); - } - } - - compute_aggregation_commitment(aggregated_public_inputs) -} diff --git a/circuits/bin/dkg/Nargo.toml b/circuits/bin/dkg/Nargo.toml new file mode 100644 index 0000000000..416708a4b8 --- /dev/null +++ b/circuits/bin/dkg/Nargo.toml @@ -0,0 +1,10 @@ +[workspace] +members = [ + "pk", + "sk_share_computation", + "sk_share_encryption", + "sk_share_decryption", + "e_sm_share_computation", + "e_sm_share_encryption", + "e_sm_share_decryption", +] \ No newline at end of file diff --git a/circuits/bin/dkg/e_sm_share_computation/Nargo.toml b/circuits/bin/dkg/e_sm_share_computation/Nargo.toml new file mode 100644 index 0000000000..babfb2fc8a --- /dev/null +++ b/circuits/bin/dkg/e_sm_share_computation/Nargo.toml @@ -0,0 +1,9 @@ +[package] +name = "e_sm_share_computation" +type = "bin" +authors = ["Gnosis Guild / Enclave"] +version = "1.0.0-beta.15" + + +[dependencies] +lib = { path = "../../../lib" } diff --git a/circuits/bin/dkg/e_sm_share_computation/README.md b/circuits/bin/dkg/e_sm_share_computation/README.md new file mode 100644 index 0000000000..4909c92d85 --- /dev/null +++ b/circuits/bin/dkg/e_sm_share_computation/README.md @@ -0,0 +1 @@ +instantiation of correct Smudging Noise Secret Share Computation (PVSS #2b) diff --git a/circuits/bin/dkg/e_sm_share_computation/src/main.nr b/circuits/bin/dkg/e_sm_share_computation/src/main.nr new file mode 100644 index 0000000000..49b28c143e --- /dev/null +++ b/circuits/bin/dkg/e_sm_share_computation/src/main.nr @@ -0,0 +1,29 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use lib::configs::default::dkg::{ + L_THRESHOLD, N, PARITY_MATRIX, SHARE_COMPUTATION_BIT_SHARE, SHARE_COMPUTATION_E_SM_BIT_SECRET, + SHARE_COMPUTATION_E_SM_CONFIGS, +}; +use lib::configs::default::{N_PARTIES, T}; +use lib::core::dkg::share_computation::SmudgingNoiseShareComputation; +use lib::math::polynomial::Polynomial; + +fn main( + expected_secret_commitment: pub Field, + e_sm_secret: [Polynomial; L_THRESHOLD], + y: [[[Field; N_PARTIES + 1]; L_THRESHOLD]; N], +) -> pub [[Field; L_THRESHOLD]; N_PARTIES] { + let share_computation_e_sm: SmudgingNoiseShareComputation = SmudgingNoiseShareComputation::new( + SHARE_COMPUTATION_E_SM_CONFIGS, + expected_secret_commitment, + e_sm_secret, + y, + PARITY_MATRIX, + ); + + share_computation_e_sm.execute() +} diff --git a/circuits/bin/dkg/e_sm_share_decryption/Nargo.toml b/circuits/bin/dkg/e_sm_share_decryption/Nargo.toml new file mode 100644 index 0000000000..c7089095bd --- /dev/null +++ b/circuits/bin/dkg/e_sm_share_decryption/Nargo.toml @@ -0,0 +1,9 @@ +[package] +name = "e_sm_share_decryption" +type = "bin" +authors = ["Gnosis Guild / Enclave"] +version = "1.0.0-beta.15" + + +[dependencies] +lib = { path = "../../../lib" } diff --git a/circuits/bin/dkg/e_sm_share_decryption/README.md b/circuits/bin/dkg/e_sm_share_decryption/README.md new file mode 100644 index 0000000000..6cbed3aa86 --- /dev/null +++ b/circuits/bin/dkg/e_sm_share_decryption/README.md @@ -0,0 +1 @@ +instantiation of correct Smudging Noise Share Decryption circuit (PVSS #4b) diff --git a/circuits/bin/dkg/e_sm_share_decryption/src/main.nr b/circuits/bin/dkg/e_sm_share_decryption/src/main.nr new file mode 100644 index 0000000000..d7806ef1d5 --- /dev/null +++ b/circuits/bin/dkg/e_sm_share_decryption/src/main.nr @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use lib::configs::default::dkg::{L_THRESHOLD, N, SHARE_DECRYPTION_BIT_MSG_E_SM}; +use lib::configs::default::H; +use lib::core::dkg::share_decryption::ShareDecryption; +use lib::math::polynomial::Polynomial; + +fn main( + expected_commitments: pub [[Field; L_THRESHOLD]; H], + decrypted_shares: [[Polynomial; L_THRESHOLD]; H], +) -> pub Field { + let share_decryption: ShareDecryption = + ShareDecryption::new(expected_commitments, decrypted_shares); + + share_decryption.execute() +} diff --git a/circuits/bin/dkg/e_sm_share_encryption/Nargo.toml b/circuits/bin/dkg/e_sm_share_encryption/Nargo.toml new file mode 100644 index 0000000000..e9a79e2a7e --- /dev/null +++ b/circuits/bin/dkg/e_sm_share_encryption/Nargo.toml @@ -0,0 +1,9 @@ +[package] +name = "e_sm_share_encryption" +type = "bin" +authors = ["Gnosis Guild / Enclave"] +version = "1.0.0-beta.15" + + +[dependencies] +lib = { path = "../../../lib" } diff --git a/circuits/bin/dkg/e_sm_share_encryption/README.md b/circuits/bin/dkg/e_sm_share_encryption/README.md new file mode 100644 index 0000000000..0040c1cec8 --- /dev/null +++ b/circuits/bin/dkg/e_sm_share_encryption/README.md @@ -0,0 +1 @@ +instantiation of Smudging Noise Share Encryption circuit (PVSS #3b) diff --git a/circuits/bin/production/enc_bfv_e_sm/src/main.nr b/circuits/bin/dkg/e_sm_share_encryption/src/main.nr similarity index 57% rename from circuits/bin/production/enc_bfv_e_sm/src/main.nr rename to circuits/bin/dkg/e_sm_share_encryption/src/main.nr index dd2b492cb7..dc093b2d7f 100644 --- a/circuits/bin/production/enc_bfv_e_sm/src/main.nr +++ b/circuits/bin/dkg/e_sm_share_encryption/src/main.nr @@ -4,11 +4,13 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -use lib::configs::production::bfv::{ - ENC_BFV_BIT_CT, ENC_BFV_BIT_E0, ENC_BFV_BIT_E1, ENC_BFV_BIT_MSG, ENC_BFV_BIT_P1, ENC_BFV_BIT_P2, - ENC_BFV_BIT_PK, ENC_BFV_BIT_R1, ENC_BFV_BIT_R2, ENC_BFV_BIT_U, ENC_BFV_CONFIGS_E_SM, L, N, +use lib::configs::default::dkg::{ + L, N, SHARE_ENCRYPTION_BIT_CT, SHARE_ENCRYPTION_BIT_E0, SHARE_ENCRYPTION_BIT_E1, + SHARE_ENCRYPTION_BIT_MSG, SHARE_ENCRYPTION_BIT_P1, SHARE_ENCRYPTION_BIT_P2, + SHARE_ENCRYPTION_BIT_PK, SHARE_ENCRYPTION_BIT_R1, SHARE_ENCRYPTION_BIT_R2, + SHARE_ENCRYPTION_BIT_U, SHARE_ENCRYPTION_CONFIGS_E_SM, }; -use lib::core::bfv_enc::EncryptionBfv; +use lib::core::dkg::share_encryption::ShareEncryption; use lib::math::polynomial::Polynomial; fn main( @@ -29,8 +31,8 @@ fn main( p1is: [Polynomial<(2 * N) - 1>; L], p2is: [Polynomial; L], ) { - let enc_bfv: EncryptionBfv = EncryptionBfv::new( - ENC_BFV_CONFIGS_E_SM, + let share_encryption: ShareEncryption = ShareEncryption::new( + SHARE_ENCRYPTION_CONFIGS_E_SM, expected_pk_commitment, expected_message_commitment, pk0is, @@ -48,5 +50,5 @@ fn main( p1is, p2is, ); - enc_bfv.verify(); + share_encryption.execute(); } diff --git a/circuits/bin/insecure/greco/Nargo.toml b/circuits/bin/dkg/pk/Nargo.toml similarity index 89% rename from circuits/bin/insecure/greco/Nargo.toml rename to circuits/bin/dkg/pk/Nargo.toml index 7071850269..60b9e50043 100644 --- a/circuits/bin/insecure/greco/Nargo.toml +++ b/circuits/bin/dkg/pk/Nargo.toml @@ -1,9 +1,8 @@ [package] -name = "greco" +name = "pk" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" - [dependencies] lib = { path = "../../../lib" } diff --git a/circuits/bin/dkg/pk/README.md b/circuits/bin/dkg/pk/README.md new file mode 100644 index 0000000000..3edb840650 --- /dev/null +++ b/circuits/bin/dkg/pk/README.md @@ -0,0 +1 @@ +instantiation of correct DKG Public Key circuit (PVSS #0) diff --git a/circuits/bin/insecure/pk_bfv/src/main.nr b/circuits/bin/dkg/pk/src/main.nr similarity index 61% rename from circuits/bin/insecure/pk_bfv/src/main.nr rename to circuits/bin/dkg/pk/src/main.nr index 986ae868bd..92b4155d60 100644 --- a/circuits/bin/insecure/pk_bfv/src/main.nr +++ b/circuits/bin/dkg/pk/src/main.nr @@ -4,11 +4,12 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -use lib::configs::insecure::bfv::{L, N, PK_BFV_BIT_PK}; -use lib::core::bfv_pk::BfvPkCommit; +use lib::configs::default::dkg::{L, N}; +use lib::configs::default::dkg::PK_BIT_PK; +use lib::core::dkg::pk::Pk; use lib::math::polynomial::Polynomial; fn main(pk0is: [Polynomial; L], pk1is: [Polynomial; L]) -> pub Field { - let pk_bfv: BfvPkCommit = BfvPkCommit::new(pk0is, pk1is); - pk_bfv.verify() + let pk: Pk = Pk::new(pk0is, pk1is); + pk.execute() } diff --git a/circuits/bin/insecure/dec_shares_agg_trbfv/Nargo.toml b/circuits/bin/dkg/sk_share_computation/Nargo.toml similarity index 81% rename from circuits/bin/insecure/dec_shares_agg_trbfv/Nargo.toml rename to circuits/bin/dkg/sk_share_computation/Nargo.toml index e04a837cbc..f6e8150fb4 100644 --- a/circuits/bin/insecure/dec_shares_agg_trbfv/Nargo.toml +++ b/circuits/bin/dkg/sk_share_computation/Nargo.toml @@ -1,5 +1,5 @@ [package] -name = "dec_shares_agg_trbfv" +name = "sk_share_computation" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" diff --git a/circuits/bin/dkg/sk_share_computation/README.md b/circuits/bin/dkg/sk_share_computation/README.md new file mode 100644 index 0000000000..1090c57822 --- /dev/null +++ b/circuits/bin/dkg/sk_share_computation/README.md @@ -0,0 +1 @@ +instantiation of correct Secret Key Secret Share Computation (PVSS #2a) diff --git a/circuits/bin/dkg/sk_share_computation/src/main.nr b/circuits/bin/dkg/sk_share_computation/src/main.nr new file mode 100644 index 0000000000..755fc878f6 --- /dev/null +++ b/circuits/bin/dkg/sk_share_computation/src/main.nr @@ -0,0 +1,29 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use lib::configs::default::dkg::{ + L_THRESHOLD, N, PARITY_MATRIX, SHARE_COMPUTATION_BIT_SHARE, SHARE_COMPUTATION_SK_BIT_SECRET, + SHARE_COMPUTATION_SK_CONFIGS, +}; +use lib::configs::default::{N_PARTIES, T}; +use lib::core::dkg::share_computation::SecretKeyShareComputation; +use lib::math::polynomial::Polynomial; + +fn main( + expected_secret_commitment: pub Field, + sk_secret: Polynomial, + y: [[[Field; N_PARTIES + 1]; L_THRESHOLD]; N], +) -> pub [[Field; L_THRESHOLD]; N_PARTIES] { + let sk_share_computation: SecretKeyShareComputation = SecretKeyShareComputation::new( + SHARE_COMPUTATION_SK_CONFIGS, + expected_secret_commitment, + sk_secret, + y, + PARITY_MATRIX, + ); + + sk_share_computation.execute() +} diff --git a/circuits/bin/insecure/enc_bfv_e_sm/Nargo.toml b/circuits/bin/dkg/sk_share_decryption/Nargo.toml similarity index 82% rename from circuits/bin/insecure/enc_bfv_e_sm/Nargo.toml rename to circuits/bin/dkg/sk_share_decryption/Nargo.toml index f34e6c7c44..5b7e7af577 100644 --- a/circuits/bin/insecure/enc_bfv_e_sm/Nargo.toml +++ b/circuits/bin/dkg/sk_share_decryption/Nargo.toml @@ -1,5 +1,5 @@ [package] -name = "enc_bfv_e_sm" +name = "sk_share_decryption" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" diff --git a/circuits/bin/dkg/sk_share_decryption/README.md b/circuits/bin/dkg/sk_share_decryption/README.md new file mode 100644 index 0000000000..c73566b882 --- /dev/null +++ b/circuits/bin/dkg/sk_share_decryption/README.md @@ -0,0 +1 @@ +instantiation of correct Secret Key Share Decryption circuit (PVSS #4a) diff --git a/circuits/bin/dkg/sk_share_decryption/src/main.nr b/circuits/bin/dkg/sk_share_decryption/src/main.nr new file mode 100644 index 0000000000..6a894eaee2 --- /dev/null +++ b/circuits/bin/dkg/sk_share_decryption/src/main.nr @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use lib::configs::default::dkg::{L_THRESHOLD, N, SHARE_DECRYPTION_BIT_MSG_SK}; +use lib::configs::default::H; +use lib::core::dkg::share_decryption::ShareDecryption; +use lib::math::polynomial::Polynomial; + +fn main( + expected_commitments: pub [[Field; L_THRESHOLD]; H], + decrypted_shares: [[Polynomial; L_THRESHOLD]; H], +) -> pub Field { + let share_decryption: ShareDecryption = + ShareDecryption::new(expected_commitments, decrypted_shares); + + share_decryption.execute() +} diff --git a/circuits/bin/dkg/sk_share_encryption/Nargo.toml b/circuits/bin/dkg/sk_share_encryption/Nargo.toml new file mode 100644 index 0000000000..34e963b18d --- /dev/null +++ b/circuits/bin/dkg/sk_share_encryption/Nargo.toml @@ -0,0 +1,9 @@ +[package] +name = "sk_share_encryption" +type = "bin" +authors = ["Gnosis Guild / Enclave"] +version = "1.0.0-beta.15" + + +[dependencies] +lib = { path = "../../../lib" } diff --git a/circuits/bin/dkg/sk_share_encryption/README.md b/circuits/bin/dkg/sk_share_encryption/README.md new file mode 100644 index 0000000000..5dfe3aa553 --- /dev/null +++ b/circuits/bin/dkg/sk_share_encryption/README.md @@ -0,0 +1 @@ +instantiation of Secret Key Share Encryption circuit (PVSS #3a) diff --git a/circuits/bin/production/enc_bfv_sk/src/main.nr b/circuits/bin/dkg/sk_share_encryption/src/main.nr similarity index 57% rename from circuits/bin/production/enc_bfv_sk/src/main.nr rename to circuits/bin/dkg/sk_share_encryption/src/main.nr index c290b8b2a1..68a3f7085d 100644 --- a/circuits/bin/production/enc_bfv_sk/src/main.nr +++ b/circuits/bin/dkg/sk_share_encryption/src/main.nr @@ -4,11 +4,13 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -use lib::configs::production::bfv::{ - ENC_BFV_BIT_CT, ENC_BFV_BIT_E0, ENC_BFV_BIT_E1, ENC_BFV_BIT_MSG, ENC_BFV_BIT_P1, ENC_BFV_BIT_P2, - ENC_BFV_BIT_PK, ENC_BFV_BIT_R1, ENC_BFV_BIT_R2, ENC_BFV_BIT_U, ENC_BFV_CONFIGS_SK, L, N, +use lib::configs::default::dkg::{ + L, N, SHARE_ENCRYPTION_BIT_CT, SHARE_ENCRYPTION_BIT_E0, SHARE_ENCRYPTION_BIT_E1, + SHARE_ENCRYPTION_BIT_MSG, SHARE_ENCRYPTION_BIT_P1, SHARE_ENCRYPTION_BIT_P2, + SHARE_ENCRYPTION_BIT_PK, SHARE_ENCRYPTION_BIT_R1, SHARE_ENCRYPTION_BIT_R2, + SHARE_ENCRYPTION_BIT_U, SHARE_ENCRYPTION_CONFIGS_SK, }; -use lib::core::bfv_enc::EncryptionBfv; +use lib::core::dkg::share_encryption::ShareEncryption; use lib::math::polynomial::Polynomial; fn main( @@ -29,8 +31,8 @@ fn main( p1is: [Polynomial<(2 * N) - 1>; L], p2is: [Polynomial; L], ) { - let enc_bfv: EncryptionBfv = EncryptionBfv::new( - ENC_BFV_CONFIGS_SK, + let share_encryption: ShareEncryption = ShareEncryption::new( + SHARE_ENCRYPTION_CONFIGS_SK, expected_pk_commitment, expected_message_commitment, pk0is, @@ -48,5 +50,5 @@ fn main( p1is, p2is, ); - enc_bfv.verify(); + share_encryption.execute(); } diff --git a/circuits/bin/insecure/Nargo.toml b/circuits/bin/insecure/Nargo.toml deleted file mode 100644 index 999368739a..0000000000 --- a/circuits/bin/insecure/Nargo.toml +++ /dev/null @@ -1,15 +0,0 @@ -[workspace] -members = [ - "pk_bfv", - "pk_trbfv", - "verify_shares_trbfv_sk", - "verify_shares_trbfv_e_sm", - "enc_bfv_sk", - "enc_bfv_e_sm", - "dec_bfv_sk", - "dec_bfv_e_sm", - "pk_agg_trbfv", - "greco", - "dec_share_trbfv", - "dec_shares_agg_trbfv" -] \ No newline at end of file diff --git a/circuits/bin/insecure/dec_bfv_e_sm/README.md b/circuits/bin/insecure/dec_bfv_e_sm/README.md deleted file mode 100644 index d588064a46..0000000000 --- a/circuits/bin/insecure/dec_bfv_e_sm/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of dec_bfv smudging noise circuit (PVSS #4b) diff --git a/circuits/bin/insecure/dec_bfv_e_sm/src/main.nr b/circuits/bin/insecure/dec_bfv_e_sm/src/main.nr deleted file mode 100644 index 0354c61c13..0000000000 --- a/circuits/bin/insecure/dec_bfv_e_sm/src/main.nr +++ /dev/null @@ -1,22 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::insecure::bfv::{DEC_BFV_BIT_MSG_E_SM, L_TRBFV, N}; -use lib::core::bfv_dec::BfvDecCommitVerify; -use lib::math::polynomial::Polynomial; - -/// Number of honest parties. -pub global H: u32 = 5; - -fn main( - expected_commitments: pub [[Field; L_TRBFV]; H], - decrypted_shares: [[Polynomial; L_TRBFV]; H], -) -> pub Field { - let circuit: BfvDecCommitVerify = - BfvDecCommitVerify::new(expected_commitments, decrypted_shares); - - circuit.verify() -} diff --git a/circuits/bin/insecure/dec_bfv_sk/README.md b/circuits/bin/insecure/dec_bfv_sk/README.md deleted file mode 100644 index ea1b15e3fd..0000000000 --- a/circuits/bin/insecure/dec_bfv_sk/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of dec_bfv secret key circuit (PVSS #4a) diff --git a/circuits/bin/insecure/dec_bfv_sk/src/main.nr b/circuits/bin/insecure/dec_bfv_sk/src/main.nr deleted file mode 100644 index b9b50e8a8a..0000000000 --- a/circuits/bin/insecure/dec_bfv_sk/src/main.nr +++ /dev/null @@ -1,22 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::insecure::bfv::{DEC_BFV_BIT_MSG_SK, L_TRBFV, N}; -use lib::core::bfv_dec::BfvDecCommitVerify; -use lib::math::polynomial::Polynomial; - -/// Number of honest parties. -pub global H: u32 = 5; - -fn main( - expected_commitments: pub [[Field; L_TRBFV]; H], - decrypted_shares: [[Polynomial; L_TRBFV]; H], -) -> pub Field { - let circuit: BfvDecCommitVerify = - BfvDecCommitVerify::new(expected_commitments, decrypted_shares); - - circuit.verify() -} diff --git a/circuits/bin/insecure/dec_share_trbfv/README.md b/circuits/bin/insecure/dec_share_trbfv/README.md deleted file mode 100644 index 26c85ac8a8..0000000000 --- a/circuits/bin/insecure/dec_share_trbfv/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of dec_share_trbfv circuit (PVSS #6) diff --git a/circuits/bin/insecure/dec_share_trbfv/src/main.nr b/circuits/bin/insecure/dec_share_trbfv/src/main.nr deleted file mode 100644 index 4863282066..0000000000 --- a/circuits/bin/insecure/dec_share_trbfv/src/main.nr +++ /dev/null @@ -1,39 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::insecure::trbfv::{ - DEC_SHARES_BIT_CT, DEC_SHARES_BIT_D, DEC_SHARES_BIT_E, DEC_SHARES_BIT_R1, DEC_SHARES_BIT_R2, - DEC_SHARES_BIT_S, DEC_SHARES_CONFIGS, L, N, -}; -use lib::core::trbfv_dec_share::DecryptionShare; -use lib::math::polynomial::Polynomial; - -fn main( - expected_s_commitment: pub Field, - expected_e_commitment: pub Field, - c_0: pub [Polynomial; L], - c_1: pub [Polynomial; L], - s: [Polynomial; L], - e: [Polynomial; L], - r_1: [Polynomial<(2 * N) - 1>; L], - r_2: [Polynomial; L], - d: pub [Polynomial; L], -) { - let dec_share: DecryptionShare = DecryptionShare::new( - DEC_SHARES_CONFIGS, - expected_s_commitment, - expected_e_commitment, - c_0, - c_1, - s, - e, - r_1, - r_2, - d, - ); - - dec_share.verify() -} diff --git a/circuits/bin/insecure/dec_shares_agg_trbfv/README.md b/circuits/bin/insecure/dec_shares_agg_trbfv/README.md deleted file mode 100644 index 597bde76e3..0000000000 --- a/circuits/bin/insecure/dec_shares_agg_trbfv/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of dec_shares_agg_trbfv circuit (PVSS #7) diff --git a/circuits/bin/insecure/enc_bfv_e_sm/README.md b/circuits/bin/insecure/enc_bfv_e_sm/README.md deleted file mode 100644 index 4b06d51499..0000000000 --- a/circuits/bin/insecure/enc_bfv_e_sm/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of enc_bfv smudging noise circuit (PVSS #3b) diff --git a/circuits/bin/insecure/enc_bfv_e_sm/src/main.nr b/circuits/bin/insecure/enc_bfv_e_sm/src/main.nr deleted file mode 100644 index 43ca54689a..0000000000 --- a/circuits/bin/insecure/enc_bfv_e_sm/src/main.nr +++ /dev/null @@ -1,52 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::insecure::bfv::{ - ENC_BFV_BIT_CT, ENC_BFV_BIT_E0, ENC_BFV_BIT_E1, ENC_BFV_BIT_MSG, ENC_BFV_BIT_P1, ENC_BFV_BIT_P2, - ENC_BFV_BIT_PK, ENC_BFV_BIT_R1, ENC_BFV_BIT_R2, ENC_BFV_BIT_U, ENC_BFV_CONFIGS_E_SM, L, N, -}; -use lib::core::bfv_enc::EncryptionBfv; -use lib::math::polynomial::Polynomial; - -fn main( - expected_pk_commitment: pub Field, - expected_message_commitment: pub Field, - pk0is: [Polynomial; L], - pk1is: [Polynomial; L], - ct0is: pub [Polynomial; L], - ct1is: pub [Polynomial; L], - u: Polynomial, - e0: Polynomial, - e0is: [Polynomial; L], - e0_quotients: [Polynomial; L], - e1: Polynomial, - message: Polynomial, - r1is: [Polynomial<(2 * N) - 1>; L], - r2is: [Polynomial; L], - p1is: [Polynomial<(2 * N) - 1>; L], - p2is: [Polynomial; L], -) { - let enc_bfv: EncryptionBfv = EncryptionBfv::new( - ENC_BFV_CONFIGS_E_SM, - expected_pk_commitment, - expected_message_commitment, - pk0is, - pk1is, - ct0is, - ct1is, - u, - e0, - e0is, - e0_quotients, - e1, - message, - r1is, - r2is, - p1is, - p2is, - ); - enc_bfv.verify(); -} diff --git a/circuits/bin/insecure/enc_bfv_sk/Nargo.toml b/circuits/bin/insecure/enc_bfv_sk/Nargo.toml deleted file mode 100644 index 1f980ff8c9..0000000000 --- a/circuits/bin/insecure/enc_bfv_sk/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "enc_bfv_sk" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/insecure/enc_bfv_sk/README.md b/circuits/bin/insecure/enc_bfv_sk/README.md deleted file mode 100644 index f4968b795f..0000000000 --- a/circuits/bin/insecure/enc_bfv_sk/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of enc_bfv secret key circuit (PVSS #3a) diff --git a/circuits/bin/insecure/enc_bfv_sk/src/main.nr b/circuits/bin/insecure/enc_bfv_sk/src/main.nr deleted file mode 100644 index 11d4ed60e7..0000000000 --- a/circuits/bin/insecure/enc_bfv_sk/src/main.nr +++ /dev/null @@ -1,52 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::insecure::bfv::{ - ENC_BFV_BIT_CT, ENC_BFV_BIT_E0, ENC_BFV_BIT_E1, ENC_BFV_BIT_MSG, ENC_BFV_BIT_P1, ENC_BFV_BIT_P2, - ENC_BFV_BIT_PK, ENC_BFV_BIT_R1, ENC_BFV_BIT_R2, ENC_BFV_BIT_U, ENC_BFV_CONFIGS_SK, L, N, -}; -use lib::core::bfv_enc::EncryptionBfv; -use lib::math::polynomial::Polynomial; - -fn main( - expected_pk_commitment: pub Field, - expected_message_commitment: pub Field, - pk0is: [Polynomial; L], - pk1is: [Polynomial; L], - ct0is: pub [Polynomial; L], - ct1is: pub [Polynomial; L], - u: Polynomial, - e0: Polynomial, - e0is: [Polynomial; L], - e0_quotients: [Polynomial; L], - e1: Polynomial, - message: Polynomial, - r1is: [Polynomial<(2 * N) - 1>; L], - r2is: [Polynomial; L], - p1is: [Polynomial<(2 * N) - 1>; L], - p2is: [Polynomial; L], -) { - let enc_bfv: EncryptionBfv = EncryptionBfv::new( - ENC_BFV_CONFIGS_SK, - expected_pk_commitment, - expected_message_commitment, - pk0is, - pk1is, - ct0is, - ct1is, - u, - e0, - e0is, - e0_quotients, - e1, - message, - r1is, - r2is, - p1is, - p2is, - ); - enc_bfv.verify(); -} diff --git a/circuits/bin/insecure/greco/README.md b/circuits/bin/insecure/greco/README.md deleted file mode 100644 index abf6a0aa1c..0000000000 --- a/circuits/bin/insecure/greco/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of Greco circuit diff --git a/circuits/bin/insecure/greco/src/main.nr b/circuits/bin/insecure/greco/src/main.nr deleted file mode 100644 index 6ac6942e64..0000000000 --- a/circuits/bin/insecure/greco/src/main.nr +++ /dev/null @@ -1,51 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::insecure::trbfv::{ - GRECO_BIT_CT, GRECO_BIT_E0, GRECO_BIT_E1, GRECO_BIT_K, GRECO_BIT_P1, GRECO_BIT_P2, GRECO_BIT_PK, - GRECO_BIT_R1, GRECO_BIT_R2, GRECO_BIT_U, GRECO_CONFIGS, L, N, -}; -use lib::core::greco::Greco; -use lib::math::polynomial::Polynomial; - -fn main( - pk_commitment: pub Field, - pk0is: [Polynomial; L], - pk1is: [Polynomial; L], - ct0is: [Polynomial; L], - ct1is: [Polynomial; L], - u: Polynomial, - e0: Polynomial, - e1: Polynomial, - e0is: [Polynomial; L], - e0_quotients: [Polynomial; L], - k1: Polynomial, - r1is: [Polynomial<(2 * N) - 1>; L], - r2is: [Polynomial; L], - p1is: [Polynomial<(2 * N) - 1>; L], - p2is: [Polynomial; L], -) { - let greco: Greco = Greco::new( - GRECO_CONFIGS, - pk_commitment, - pk0is, - pk1is, - ct0is, - ct1is, - u, - e0, - e0is, - e0_quotients, - e1, - k1, - r1is, - r2is, - p1is, - p2is, - ); - let is_greco_valid = greco.verify(); - assert(is_greco_valid); -} diff --git a/circuits/bin/insecure/pk_agg_trbfv/Nargo.toml b/circuits/bin/insecure/pk_agg_trbfv/Nargo.toml deleted file mode 100644 index 5795159baa..0000000000 --- a/circuits/bin/insecure/pk_agg_trbfv/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "pk_agg_trbfv" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/insecure/pk_agg_trbfv/README.md b/circuits/bin/insecure/pk_agg_trbfv/README.md deleted file mode 100644 index bad797050f..0000000000 --- a/circuits/bin/insecure/pk_agg_trbfv/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of Threshold BFV Public Key Aggregation circuit (PVSS #5) diff --git a/circuits/bin/insecure/pk_bfv/Nargo.toml b/circuits/bin/insecure/pk_bfv/Nargo.toml deleted file mode 100644 index acc96bf081..0000000000 --- a/circuits/bin/insecure/pk_bfv/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "pk_bfv" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/insecure/pk_bfv/README.md b/circuits/bin/insecure/pk_bfv/README.md deleted file mode 100644 index 63b2150c71..0000000000 --- a/circuits/bin/insecure/pk_bfv/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of BFV Public Key circuit (PVSS #0) diff --git a/circuits/bin/insecure/pk_trbfv/Nargo.toml b/circuits/bin/insecure/pk_trbfv/Nargo.toml deleted file mode 100644 index 7b1bb89db4..0000000000 --- a/circuits/bin/insecure/pk_trbfv/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "pk_trbfv" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/insecure/pk_trbfv/README.md b/circuits/bin/insecure/pk_trbfv/README.md deleted file mode 100644 index ea0cbce733..0000000000 --- a/circuits/bin/insecure/pk_trbfv/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of Threshold BFV Public Key circuit (PVSS #1) diff --git a/circuits/bin/insecure/pk_trbfv/src/main.nr b/circuits/bin/insecure/pk_trbfv/src/main.nr deleted file mode 100644 index 3eafede8c1..0000000000 --- a/circuits/bin/insecure/pk_trbfv/src/main.nr +++ /dev/null @@ -1,27 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::insecure::trbfv::{ - L, N, PK_TRBFV_BIT_E_SM, PK_TRBFV_BIT_EEK, PK_TRBFV_BIT_PK, PK_TRBFV_BIT_R1, PK_TRBFV_BIT_R2, - PK_TRBFV_BIT_SK, PK_TRBFV_CONFIGS, -}; -use lib::core::trbfv_pk::TrbfvPublicKey; -use lib::math::polynomial::Polynomial; - -fn main( - a: pub [Polynomial; L], - eek: Polynomial, - sk: Polynomial, - e_sm: [Polynomial; L], - r1is: [Polynomial<(2 * N) - 1>; L], - r2is: [Polynomial; L], - pk0is: [Polynomial; L], - pk1is: [Polynomial; L], -) -> pub (Field, Field, Field) { - let pk_trbfv: TrbfvPublicKey = - TrbfvPublicKey::new(PK_TRBFV_CONFIGS, a, eek, sk, e_sm, r1is, r2is, pk0is, pk1is); - pk_trbfv.verify() -} diff --git a/circuits/bin/insecure/verify_shares_trbfv_e_sm/Nargo.toml b/circuits/bin/insecure/verify_shares_trbfv_e_sm/Nargo.toml deleted file mode 100644 index bc36263a21..0000000000 --- a/circuits/bin/insecure/verify_shares_trbfv_e_sm/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "verify_shares_trbfv_e_sm" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/insecure/verify_shares_trbfv_e_sm/README.md b/circuits/bin/insecure/verify_shares_trbfv_e_sm/README.md deleted file mode 100644 index 05f5057209..0000000000 --- a/circuits/bin/insecure/verify_shares_trbfv_e_sm/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of verify_shares_trbfv smudging noise circuit (PVSS #2b) diff --git a/circuits/bin/insecure/verify_shares_trbfv_e_sm/src/main.nr b/circuits/bin/insecure/verify_shares_trbfv_e_sm/src/main.nr deleted file mode 100644 index 7256d11a23..0000000000 --- a/circuits/bin/insecure/verify_shares_trbfv_e_sm/src/main.nr +++ /dev/null @@ -1,46 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::insecure::trbfv::{ - L, N, VERIFY_SHARES_BIT_SECRET_E_SM, VERIFY_SHARES_BIT_SHARE, VERIFY_SHARES_CONFIGS_E_SM, -}; -use lib::core::trbfv_verify_shares::VerifySharesEsm; -use lib::math::polynomial::Polynomial; - -/// Number of parties. -pub global N_PARTIES: u32 = 5; -/// Threshold. -pub global T: u32 = 2; -/// Parity check matrix for each modulus. -/// H[modulus_idx][row][col] where size is [L][N_PARTIES-T][N_PARTIES+1] -pub global H: [[[Field; N_PARTIES + 1]; N_PARTIES - T]; L] = [ - [ - [68719403008, 3, 68719403006, 1, 0, 0], - [68719403006, 8, 68719403003, 0, 1, 0], - [68719403003, 15, 68719402999, 0, 0, 1], - ], - [ - [68719230976, 3, 68719230974, 1, 0, 0], - [68719230974, 8, 68719230971, 0, 1, 0], - [68719230971, 15, 68719230967, 0, 0, 1], - ], -]; - -fn main( - expected_secret_commitment: pub Field, - secret_e_sm: [Polynomial; L], - y: [[[Field; N_PARTIES + 1]; L]; N], -) -> pub [[Field; L]; N_PARTIES] { - let verify_shares: VerifySharesEsm = VerifySharesEsm::new( - VERIFY_SHARES_CONFIGS_E_SM, - expected_secret_commitment, - secret_e_sm, - y, - H, - ); - - verify_shares.verify() -} diff --git a/circuits/bin/insecure/verify_shares_trbfv_sk/Nargo.toml b/circuits/bin/insecure/verify_shares_trbfv_sk/Nargo.toml deleted file mode 100644 index 2e37875c00..0000000000 --- a/circuits/bin/insecure/verify_shares_trbfv_sk/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "verify_shares_trbfv_sk" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/insecure/verify_shares_trbfv_sk/README.md b/circuits/bin/insecure/verify_shares_trbfv_sk/README.md deleted file mode 100644 index 9c701969a0..0000000000 --- a/circuits/bin/insecure/verify_shares_trbfv_sk/README.md +++ /dev/null @@ -1 +0,0 @@ -insecure instantiation of verify_shares_trbfv secret key circuit (PVSS #2a) diff --git a/circuits/bin/insecure/verify_shares_trbfv_sk/src/main.nr b/circuits/bin/insecure/verify_shares_trbfv_sk/src/main.nr deleted file mode 100644 index 6aa657d5a4..0000000000 --- a/circuits/bin/insecure/verify_shares_trbfv_sk/src/main.nr +++ /dev/null @@ -1,46 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::insecure::trbfv::{ - L, N, VERIFY_SHARES_BIT_SECRET_SK, VERIFY_SHARES_BIT_SHARE, VERIFY_SHARES_CONFIGS_SK, -}; -use lib::core::trbfv_verify_shares::VerifySharesSk; -use lib::math::polynomial::Polynomial; - -/// Number of parties. -pub global N_PARTIES: u32 = 5; -/// Threshold. -pub global T: u32 = 2; -/// Parity check matrix for each modulus. -/// H[modulus_idx][row][col] where size is [L][N_PARTIES-T][N_PARTIES+1] -pub global H: [[[Field; N_PARTIES + 1]; N_PARTIES - T]; L] = [ - [ - [68719403008, 3, 68719403006, 1, 0, 0], - [68719403006, 8, 68719403003, 0, 1, 0], - [68719403003, 15, 68719402999, 0, 0, 1], - ], - [ - [68719230976, 3, 68719230974, 1, 0, 0], - [68719230974, 8, 68719230971, 0, 1, 0], - [68719230971, 15, 68719230967, 0, 0, 1], - ], -]; - -fn main( - expected_secret_commitment: pub Field, - secret_sk: Polynomial, - y: [[[Field; N_PARTIES + 1]; L]; N], -) -> pub [[Field; L]; N_PARTIES] { - let verify_shares: VerifySharesSk = VerifySharesSk::new( - VERIFY_SHARES_CONFIGS_SK, - expected_secret_commitment, - secret_sk, - y, - H, - ); - - verify_shares.verify() -} diff --git a/circuits/bin/production/Nargo.toml b/circuits/bin/production/Nargo.toml deleted file mode 100644 index becb094990..0000000000 --- a/circuits/bin/production/Nargo.toml +++ /dev/null @@ -1,15 +0,0 @@ -[workspace] -members = [ - "pk_bfv", - "pk_trbfv", - "verify_shares_trbfv_sk", - "verify_shares_trbfv_e_sm", - "enc_bfv_sk", - "enc_bfv_e_sm", - "dec_bfv_sk", - "dec_bfv_e_sm", - "pk_agg_trbfv", - "greco", - "dec_share_trbfv", - "dec_shares_agg_trbfv" -] \ No newline at end of file diff --git a/circuits/bin/production/dec_bfv_e_sm/Nargo.toml b/circuits/bin/production/dec_bfv_e_sm/Nargo.toml deleted file mode 100644 index f72554aadf..0000000000 --- a/circuits/bin/production/dec_bfv_e_sm/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "dec_bfv_e_sm" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/dec_bfv_e_sm/README.md b/circuits/bin/production/dec_bfv_e_sm/README.md deleted file mode 100644 index 3a9ab911a2..0000000000 --- a/circuits/bin/production/dec_bfv_e_sm/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of dec_bfv smudging noise circuit (PVSS #4b) diff --git a/circuits/bin/production/dec_bfv_e_sm/src/main.nr b/circuits/bin/production/dec_bfv_e_sm/src/main.nr deleted file mode 100644 index 892015caf7..0000000000 --- a/circuits/bin/production/dec_bfv_e_sm/src/main.nr +++ /dev/null @@ -1,22 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::production::bfv::{DEC_BFV_BIT_MSG_E_SM, L_TRBFV, N}; -use lib::core::bfv_dec::BfvDecCommitVerify; -use lib::math::polynomial::Polynomial; - -/// Number of honest parties. -pub global H: u32 = 5; - -fn main( - expected_commitments: pub [[Field; L_TRBFV]; H], - decrypted_shares: [[Polynomial; L_TRBFV]; H], -) -> pub Field { - let circuit: BfvDecCommitVerify = - BfvDecCommitVerify::new(expected_commitments, decrypted_shares); - - circuit.verify() -} diff --git a/circuits/bin/production/dec_bfv_sk/Nargo.toml b/circuits/bin/production/dec_bfv_sk/Nargo.toml deleted file mode 100644 index ad3b7f7f8c..0000000000 --- a/circuits/bin/production/dec_bfv_sk/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "dec_bfv_sk" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/dec_bfv_sk/README.md b/circuits/bin/production/dec_bfv_sk/README.md deleted file mode 100644 index 421887b0e8..0000000000 --- a/circuits/bin/production/dec_bfv_sk/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of dec_bfv secret key circuit (PVSS #4a) diff --git a/circuits/bin/production/dec_bfv_sk/src/main.nr b/circuits/bin/production/dec_bfv_sk/src/main.nr deleted file mode 100644 index 448f92b044..0000000000 --- a/circuits/bin/production/dec_bfv_sk/src/main.nr +++ /dev/null @@ -1,22 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::production::bfv::{DEC_BFV_BIT_MSG_SK, L_TRBFV, N}; -use lib::core::bfv_dec::BfvDecCommitVerify; -use lib::math::polynomial::Polynomial; - -/// Number of honest parties. -pub global H: u32 = 5; - -fn main( - expected_commitments: pub [[Field; L_TRBFV]; H], - decrypted_shares: [[Polynomial; L_TRBFV]; H], -) -> pub Field { - let circuit: BfvDecCommitVerify = - BfvDecCommitVerify::new(expected_commitments, decrypted_shares); - - circuit.verify() -} diff --git a/circuits/bin/production/dec_share_trbfv/Nargo.toml b/circuits/bin/production/dec_share_trbfv/Nargo.toml deleted file mode 100644 index cc6b5f1e6b..0000000000 --- a/circuits/bin/production/dec_share_trbfv/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "dec_share_trbfv" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/dec_share_trbfv/README.md b/circuits/bin/production/dec_share_trbfv/README.md deleted file mode 100644 index 4c01485a79..0000000000 --- a/circuits/bin/production/dec_share_trbfv/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of dec_share_trbfv circuit (PVSS #6) diff --git a/circuits/bin/production/dec_share_trbfv/src/main.nr b/circuits/bin/production/dec_share_trbfv/src/main.nr deleted file mode 100644 index f5a47a5429..0000000000 --- a/circuits/bin/production/dec_share_trbfv/src/main.nr +++ /dev/null @@ -1,39 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::production::trbfv::{ - DEC_SHARES_BIT_CT, DEC_SHARES_BIT_D, DEC_SHARES_BIT_E, DEC_SHARES_BIT_R1, DEC_SHARES_BIT_R2, - DEC_SHARES_BIT_S, DEC_SHARES_CONFIGS, L, N, -}; -use lib::core::trbfv_dec_share::DecryptionShare; -use lib::math::polynomial::Polynomial; - -fn main( - expected_s_commitment: pub Field, - expected_e_commitment: pub Field, - c_0: pub [Polynomial; L], - c_1: pub [Polynomial; L], - s: [Polynomial; L], - e: [Polynomial; L], - r_1: [Polynomial<(2 * N) - 1>; L], - r_2: [Polynomial; L], - d: pub [Polynomial; L], -) { - let dec_share: DecryptionShare = DecryptionShare::new( - DEC_SHARES_CONFIGS, - expected_s_commitment, - expected_e_commitment, - c_0, - c_1, - s, - e, - r_1, - r_2, - d, - ); - - dec_share.verify() -} diff --git a/circuits/bin/production/dec_shares_agg_trbfv/Nargo.toml b/circuits/bin/production/dec_shares_agg_trbfv/Nargo.toml deleted file mode 100644 index e04a837cbc..0000000000 --- a/circuits/bin/production/dec_shares_agg_trbfv/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "dec_shares_agg_trbfv" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/dec_shares_agg_trbfv/README.md b/circuits/bin/production/dec_shares_agg_trbfv/README.md deleted file mode 100644 index 0e4ce4eee5..0000000000 --- a/circuits/bin/production/dec_shares_agg_trbfv/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of dec_shares_agg_trbfv circuit (PVSS #7) diff --git a/circuits/bin/production/enc_bfv_e_sm/Nargo.toml b/circuits/bin/production/enc_bfv_e_sm/Nargo.toml deleted file mode 100644 index f34e6c7c44..0000000000 --- a/circuits/bin/production/enc_bfv_e_sm/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "enc_bfv_e_sm" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/enc_bfv_e_sm/README.md b/circuits/bin/production/enc_bfv_e_sm/README.md deleted file mode 100644 index d8035d6d1d..0000000000 --- a/circuits/bin/production/enc_bfv_e_sm/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of enc_bfv smudging noise circuit (PVSS #3b) diff --git a/circuits/bin/production/enc_bfv_sk/Nargo.toml b/circuits/bin/production/enc_bfv_sk/Nargo.toml deleted file mode 100644 index 1f980ff8c9..0000000000 --- a/circuits/bin/production/enc_bfv_sk/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "enc_bfv_sk" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/enc_bfv_sk/README.md b/circuits/bin/production/enc_bfv_sk/README.md deleted file mode 100644 index 39411db5ea..0000000000 --- a/circuits/bin/production/enc_bfv_sk/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of enc_bfv secret key circuit (PVSS #3a) diff --git a/circuits/bin/production/greco/Nargo.toml b/circuits/bin/production/greco/Nargo.toml deleted file mode 100644 index 7071850269..0000000000 --- a/circuits/bin/production/greco/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "greco" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/greco/README.md b/circuits/bin/production/greco/README.md deleted file mode 100644 index 143d50f56a..0000000000 --- a/circuits/bin/production/greco/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of Greco circuit diff --git a/circuits/bin/production/greco/src/main.nr b/circuits/bin/production/greco/src/main.nr deleted file mode 100644 index d561098c0f..0000000000 --- a/circuits/bin/production/greco/src/main.nr +++ /dev/null @@ -1,51 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::production::trbfv::{ - GRECO_BIT_CT, GRECO_BIT_E0, GRECO_BIT_E1, GRECO_BIT_K, GRECO_BIT_P1, GRECO_BIT_P2, GRECO_BIT_PK, - GRECO_BIT_R1, GRECO_BIT_R2, GRECO_BIT_U, GRECO_CONFIGS, L, N, -}; -use lib::core::greco::Greco; -use lib::math::polynomial::Polynomial; - -fn main( - pk_commitment: pub Field, - pk0is: [Polynomial; L], - pk1is: [Polynomial; L], - ct0is: [Polynomial; L], - ct1is: [Polynomial; L], - u: Polynomial, - e0: Polynomial, - e1: Polynomial, - e0is: [Polynomial; L], - e0_quotients: [Polynomial; L], - k1: Polynomial, - r1is: [Polynomial<(2 * N) - 1>; L], - r2is: [Polynomial; L], - p1is: [Polynomial<(2 * N) - 1>; L], - p2is: [Polynomial; L], -) { - let greco: Greco = Greco::new( - GRECO_CONFIGS, - pk_commitment, - pk0is, - pk1is, - ct0is, - ct1is, - u, - e0, - e0is, - e0_quotients, - e1, - k1, - r1is, - r2is, - p1is, - p2is, - ); - let is_greco_valid = greco.verify(); - assert(is_greco_valid); -} diff --git a/circuits/bin/production/pk_agg_trbfv/Nargo.toml b/circuits/bin/production/pk_agg_trbfv/Nargo.toml deleted file mode 100644 index 4a32c89e12..0000000000 --- a/circuits/bin/production/pk_agg_trbfv/Nargo.toml +++ /dev/null @@ -1,8 +0,0 @@ -[package] -name = "pk_agg_trbfv" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/pk_agg_trbfv/README.md b/circuits/bin/production/pk_agg_trbfv/README.md deleted file mode 100644 index 60228803e7..0000000000 --- a/circuits/bin/production/pk_agg_trbfv/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of Threshold BFV Public Key Aggregation circuit (PVSS #5) diff --git a/circuits/bin/production/pk_agg_trbfv/src/main.nr b/circuits/bin/production/pk_agg_trbfv/src/main.nr deleted file mode 100644 index d8cc020d34..0000000000 --- a/circuits/bin/production/pk_agg_trbfv/src/main.nr +++ /dev/null @@ -1,31 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::production::trbfv::{L, N, PK_AGG_TRBFV_BIT_PK, PK_AGG_TRBFV_CONFIGS}; -use lib::core::trbfv_pk_agg::TrbfvPublicKeyAggregation; -use lib::math::polynomial::Polynomial; - -/// Number of honest parties. -pub global H: u32 = 5; - -fn main( - expected_pk_trbfv_commitments: pub [Field; H], - pk0: [[Polynomial; L]; H], - pk1: [[Polynomial; L]; H], - pk0_agg: [Polynomial; L], - pk1_agg: [Polynomial; L], -) -> pub Field { - let pk_agg_trbfv: TrbfvPublicKeyAggregation = TrbfvPublicKeyAggregation::new( - PK_AGG_TRBFV_CONFIGS, - expected_pk_trbfv_commitments, - pk0, - pk1, - pk0_agg, - pk1_agg, - ); - - pk_agg_trbfv.verify() -} diff --git a/circuits/bin/production/pk_bfv/Nargo.toml b/circuits/bin/production/pk_bfv/Nargo.toml deleted file mode 100644 index 585e8bc524..0000000000 --- a/circuits/bin/production/pk_bfv/Nargo.toml +++ /dev/null @@ -1,8 +0,0 @@ -[package] -name = "pk_bfv" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/pk_bfv/README.md b/circuits/bin/production/pk_bfv/README.md deleted file mode 100644 index ec8f150c68..0000000000 --- a/circuits/bin/production/pk_bfv/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of BFV Public Key circuit (PVSS #0) diff --git a/circuits/bin/production/pk_bfv/src/main.nr b/circuits/bin/production/pk_bfv/src/main.nr deleted file mode 100644 index d85c49ae58..0000000000 --- a/circuits/bin/production/pk_bfv/src/main.nr +++ /dev/null @@ -1,14 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::production::bfv::{L, N, PK_BFV_BIT_PK}; -use lib::core::bfv_pk::BfvPkCommit; -use lib::math::polynomial::Polynomial; - -fn main(pk0is: [Polynomial; L], pk1is: [Polynomial; L]) -> pub Field { - let pk_bfv: BfvPkCommit = BfvPkCommit::new(pk0is, pk1is); - pk_bfv.verify() -} diff --git a/circuits/bin/production/pk_trbfv/Nargo.toml b/circuits/bin/production/pk_trbfv/Nargo.toml deleted file mode 100644 index 5c535fd218..0000000000 --- a/circuits/bin/production/pk_trbfv/Nargo.toml +++ /dev/null @@ -1,8 +0,0 @@ -[package] -name = "pk_trbfv" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/pk_trbfv/README.md b/circuits/bin/production/pk_trbfv/README.md deleted file mode 100644 index 5c9b5aa307..0000000000 --- a/circuits/bin/production/pk_trbfv/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of Threshold BFV Public Key circuit (PVSS #1) diff --git a/circuits/bin/production/pk_trbfv/src/main.nr b/circuits/bin/production/pk_trbfv/src/main.nr deleted file mode 100644 index e303f93d05..0000000000 --- a/circuits/bin/production/pk_trbfv/src/main.nr +++ /dev/null @@ -1,27 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::production::trbfv::{ - L, N, PK_TRBFV_BIT_E_SM, PK_TRBFV_BIT_EEK, PK_TRBFV_BIT_PK, PK_TRBFV_BIT_R1, PK_TRBFV_BIT_R2, - PK_TRBFV_BIT_SK, PK_TRBFV_CONFIGS, -}; -use lib::core::trbfv_pk::TrbfvPublicKey; -use lib::math::polynomial::Polynomial; - -fn main( - a: pub [Polynomial; L], - eek: Polynomial, - sk: Polynomial, - e_sm: [Polynomial; L], - r1is: [Polynomial<(2 * N) - 1>; L], - r2is: [Polynomial; L], - pk0is: [Polynomial; L], - pk1is: [Polynomial; L], -) -> pub (Field, Field, Field) { - let pk_trbfv: TrbfvPublicKey = - TrbfvPublicKey::new(PK_TRBFV_CONFIGS, a, eek, sk, e_sm, r1is, r2is, pk0is, pk1is); - pk_trbfv.verify() -} diff --git a/circuits/bin/production/verify_shares_trbfv_e_sm/Nargo.toml b/circuits/bin/production/verify_shares_trbfv_e_sm/Nargo.toml deleted file mode 100644 index bc36263a21..0000000000 --- a/circuits/bin/production/verify_shares_trbfv_e_sm/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "verify_shares_trbfv_e_sm" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/verify_shares_trbfv_e_sm/README.md b/circuits/bin/production/verify_shares_trbfv_e_sm/README.md deleted file mode 100644 index 623089cec7..0000000000 --- a/circuits/bin/production/verify_shares_trbfv_e_sm/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of verify_shares_trbfv smudging noise circuit (PVSS #2b) diff --git a/circuits/bin/production/verify_shares_trbfv_e_sm/src/main.nr b/circuits/bin/production/verify_shares_trbfv_e_sm/src/main.nr deleted file mode 100644 index df839f625c..0000000000 --- a/circuits/bin/production/verify_shares_trbfv_e_sm/src/main.nr +++ /dev/null @@ -1,56 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::production::trbfv::{ - L, N, VERIFY_SHARES_BIT_SECRET_E_SM, VERIFY_SHARES_BIT_SHARE, VERIFY_SHARES_CONFIGS_E_SM, -}; -use lib::core::trbfv_verify_shares::VerifySharesEsm; -use lib::math::polynomial::Polynomial; - -/// Number of parties. -pub global N_PARTIES: u32 = 5; -/// Threshold. -pub global T: u32 = 2; -/// Parity check matrix for each modulus. -/// H[modulus_idx][row][col] where size is [L][N_PARTIES-T][N_PARTIES+1] -pub global H: [[[Field; N_PARTIES + 1]; N_PARTIES - T]; L] = [ - [ - [2251799822204928, 3, 2251799822204926, 1, 0, 0], - [2251799822204926, 8, 2251799822204923, 0, 1, 0], - [2251799822204923, 15, 2251799822204919, 0, 0, 1], - ], - [ - [4503599627763712, 3, 4503599627763710, 1, 0, 0], - [4503599627763710, 8, 4503599627763707, 0, 1, 0], - [4503599627763707, 15, 4503599627763703, 0, 0, 1], - ], - [ - [4503599631433728, 3, 4503599631433726, 1, 0, 0], - [4503599631433726, 8, 4503599631433723, 0, 1, 0], - [4503599631433723, 15, 4503599631433719, 0, 0, 1], - ], - [ - [4503599634579456, 3, 4503599634579454, 1, 0, 0], - [4503599634579454, 8, 4503599634579451, 0, 1, 0], - [4503599634579451, 15, 4503599634579447, 0, 0, 1], - ], -]; - -fn main( - expected_secret_commitment: pub Field, - secret_e_sm: [Polynomial; L], - y: [[[Field; N_PARTIES + 1]; L]; N], -) -> pub [[Field; L]; N_PARTIES] { - let verify_shares: VerifySharesEsm = VerifySharesEsm::new( - VERIFY_SHARES_CONFIGS_E_SM, - expected_secret_commitment, - secret_e_sm, - y, - H, - ); - - verify_shares.verify() -} diff --git a/circuits/bin/production/verify_shares_trbfv_sk/Nargo.toml b/circuits/bin/production/verify_shares_trbfv_sk/Nargo.toml deleted file mode 100644 index 2e37875c00..0000000000 --- a/circuits/bin/production/verify_shares_trbfv_sk/Nargo.toml +++ /dev/null @@ -1,9 +0,0 @@ -[package] -name = "verify_shares_trbfv_sk" -type = "bin" -authors = ["Gnosis Guild / Enclave"] -version = "1.0.0-beta.15" - - -[dependencies] -lib = { path = "../../../lib" } diff --git a/circuits/bin/production/verify_shares_trbfv_sk/README.md b/circuits/bin/production/verify_shares_trbfv_sk/README.md deleted file mode 100644 index bae81c6647..0000000000 --- a/circuits/bin/production/verify_shares_trbfv_sk/README.md +++ /dev/null @@ -1 +0,0 @@ -production instantiation of verify_shares_trbfv secret key circuit (PVSS #2a) diff --git a/circuits/bin/production/verify_shares_trbfv_sk/src/main.nr b/circuits/bin/production/verify_shares_trbfv_sk/src/main.nr deleted file mode 100644 index e30a11ad7a..0000000000 --- a/circuits/bin/production/verify_shares_trbfv_sk/src/main.nr +++ /dev/null @@ -1,56 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use lib::configs::production::trbfv::{ - L, N, VERIFY_SHARES_BIT_SECRET_SK, VERIFY_SHARES_BIT_SHARE, VERIFY_SHARES_CONFIGS_SK, -}; -use lib::core::trbfv_verify_shares::VerifySharesSk; -use lib::math::polynomial::Polynomial; - -/// Number of parties. -pub global N_PARTIES: u32 = 5; -/// Threshold. -pub global T: u32 = 2; -/// Parity check matrix for each modulus. -/// H[modulus_idx][row][col] where size is [L][N_PARTIES-T][N_PARTIES+1] -pub global H: [[[Field; N_PARTIES + 1]; N_PARTIES - T]; L] = [ - [ - [2251799822204928, 3, 2251799822204926, 1, 0, 0], - [2251799822204926, 8, 2251799822204923, 0, 1, 0], - [2251799822204923, 15, 2251799822204919, 0, 0, 1], - ], - [ - [4503599627763712, 3, 4503599627763710, 1, 0, 0], - [4503599627763710, 8, 4503599627763707, 0, 1, 0], - [4503599627763707, 15, 4503599627763703, 0, 0, 1], - ], - [ - [4503599631433728, 3, 4503599631433726, 1, 0, 0], - [4503599631433726, 8, 4503599631433723, 0, 1, 0], - [4503599631433723, 15, 4503599631433719, 0, 0, 1], - ], - [ - [4503599634579456, 3, 4503599634579454, 1, 0, 0], - [4503599634579454, 8, 4503599634579451, 0, 1, 0], - [4503599634579451, 15, 4503599634579447, 0, 0, 1], - ], -]; - -fn main( - expected_secret_commitment: pub Field, - secret_sk: Polynomial, - y: [[[Field; N_PARTIES + 1]; L]; N], -) -> pub [[Field; L]; N_PARTIES] { - let verify_shares: VerifySharesSk = VerifySharesSk::new( - VERIFY_SHARES_CONFIGS_SK, - expected_secret_commitment, - secret_sk, - y, - H, - ); - - verify_shares.verify() -} diff --git a/circuits/bin/aggregation/fold/Nargo.toml b/circuits/bin/recursive_aggregation/fold/Nargo.toml similarity index 100% rename from circuits/bin/aggregation/fold/Nargo.toml rename to circuits/bin/recursive_aggregation/fold/Nargo.toml diff --git a/circuits/bin/aggregation/fold/src/main.nr b/circuits/bin/recursive_aggregation/fold/src/main.nr similarity index 84% rename from circuits/bin/aggregation/fold/src/main.nr rename to circuits/bin/recursive_aggregation/fold/src/main.nr index 944792b7b4..7d979a960d 100644 --- a/circuits/bin/aggregation/fold/src/main.nr +++ b/circuits/bin/recursive_aggregation/fold/src/main.nr @@ -5,7 +5,7 @@ // or FITNESS FOR A PARTICULAR PURPOSE. use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; +use lib::math::commitments::compute_recursive_aggregation_commitment; fn main( verification_key: UltraHonkVerificationKey, @@ -21,5 +21,5 @@ fn main( commitments_vec.push(commitments[0]); commitments_vec.push(commitments[1]); - compute_aggregation_commitment(commitments_vec) + compute_recursive_aggregation_commitment(commitments_vec) } diff --git a/circuits/bin/recursive_aggregation/wrapper/dkg/Nargo.toml b/circuits/bin/recursive_aggregation/wrapper/dkg/Nargo.toml new file mode 100644 index 0000000000..29f0bd03c9 --- /dev/null +++ b/circuits/bin/recursive_aggregation/wrapper/dkg/Nargo.toml @@ -0,0 +1,7 @@ +[workspace] +members = [ + "pk", + "share_computation", + "share_encryption", + "share_decryption", +] \ No newline at end of file diff --git a/circuits/bin/aggregation/production/enc_bfv_wrapper/Nargo.toml b/circuits/bin/recursive_aggregation/wrapper/dkg/pk/Nargo.toml similarity index 82% rename from circuits/bin/aggregation/production/enc_bfv_wrapper/Nargo.toml rename to circuits/bin/recursive_aggregation/wrapper/dkg/pk/Nargo.toml index 40ab5f97e6..61858b7d1e 100644 --- a/circuits/bin/aggregation/production/enc_bfv_wrapper/Nargo.toml +++ b/circuits/bin/recursive_aggregation/wrapper/dkg/pk/Nargo.toml @@ -1,9 +1,9 @@ [package] -name = "enc_bfv_wrapper" +name = "pk" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" [dependencies] -lib = { path = "../../../../lib" } +lib = { path = "../../../../../lib" } bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/insecure/pk_agg_trbfv_wrapper/src/main.nr b/circuits/bin/recursive_aggregation/wrapper/dkg/pk/src/main.nr similarity index 83% rename from circuits/bin/aggregation/insecure/pk_agg_trbfv_wrapper/src/main.nr rename to circuits/bin/recursive_aggregation/wrapper/dkg/pk/src/main.nr index f56ef89641..b75a778f85 100644 --- a/circuits/bin/aggregation/insecure/pk_agg_trbfv_wrapper/src/main.nr +++ b/circuits/bin/recursive_aggregation/wrapper/dkg/pk/src/main.nr @@ -5,12 +5,12 @@ // or FITNESS FOR A PARTICULAR PURPOSE. use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; +use lib::math::commitments::compute_recursive_aggregation_commitment; // Number of proofs. pub global N_PROOFS: u32 = 1; /// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 6; +pub global N_PUBLIC_INPUTS: u32 = 1; fn main( verification_key: UltraHonkVerificationKey, @@ -30,5 +30,5 @@ fn main( } } - compute_aggregation_commitment(aggregated_public_inputs) + compute_recursive_aggregation_commitment(aggregated_public_inputs) } diff --git a/circuits/bin/aggregation/insecure/pk_agg_trbfv_wrapper/Nargo.toml b/circuits/bin/recursive_aggregation/wrapper/dkg/share_computation/Nargo.toml similarity index 80% rename from circuits/bin/aggregation/insecure/pk_agg_trbfv_wrapper/Nargo.toml rename to circuits/bin/recursive_aggregation/wrapper/dkg/share_computation/Nargo.toml index 0b985dd2cc..4fd91a5925 100644 --- a/circuits/bin/aggregation/insecure/pk_agg_trbfv_wrapper/Nargo.toml +++ b/circuits/bin/recursive_aggregation/wrapper/dkg/share_computation/Nargo.toml @@ -1,9 +1,9 @@ [package] -name = "pk_agg_trbfv_wrapper" +name = "share_computation" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" [dependencies] -lib = { path = "../../../../lib" } +lib = { path = "../../../../../lib" } bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/production/dec_bfv_wrapper/src/main.nr b/circuits/bin/recursive_aggregation/wrapper/dkg/share_computation/src/main.nr similarity index 76% rename from circuits/bin/aggregation/production/dec_bfv_wrapper/src/main.nr rename to circuits/bin/recursive_aggregation/wrapper/dkg/share_computation/src/main.nr index b3a6225c3a..489042664c 100644 --- a/circuits/bin/aggregation/production/dec_bfv_wrapper/src/main.nr +++ b/circuits/bin/recursive_aggregation/wrapper/dkg/share_computation/src/main.nr @@ -5,12 +5,13 @@ // or FITNESS FOR A PARTICULAR PURPOSE. use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; +use lib::configs::default::dkg::L_THRESHOLD; +use lib::{configs::default::N_PARTIES, math::commitments::compute_recursive_aggregation_commitment}; // Number of proofs. pub global N_PROOFS: u32 = 2; /// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 21; +pub global N_PUBLIC_INPUTS: u32 = (L_THRESHOLD * N_PARTIES) + 1; fn main( verification_key: UltraHonkVerificationKey, @@ -30,5 +31,5 @@ fn main( } } - compute_aggregation_commitment(aggregated_public_inputs) + compute_recursive_aggregation_commitment(aggregated_public_inputs) } diff --git a/circuits/bin/aggregation/insecure/dec_bfv_wrapper/Nargo.toml b/circuits/bin/recursive_aggregation/wrapper/dkg/share_decryption/Nargo.toml similarity index 81% rename from circuits/bin/aggregation/insecure/dec_bfv_wrapper/Nargo.toml rename to circuits/bin/recursive_aggregation/wrapper/dkg/share_decryption/Nargo.toml index dce69a5e29..712fab69c3 100644 --- a/circuits/bin/aggregation/insecure/dec_bfv_wrapper/Nargo.toml +++ b/circuits/bin/recursive_aggregation/wrapper/dkg/share_decryption/Nargo.toml @@ -1,9 +1,9 @@ [package] -name = "dec_bfv_wrapper" +name = "share_decryption" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" [dependencies] -lib = { path = "../../../../lib" } +lib = { path = "../../../../../lib" } bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/insecure/verify_shares_trbfv_wrapper/src/main.nr b/circuits/bin/recursive_aggregation/wrapper/dkg/share_decryption/src/main.nr similarity index 76% rename from circuits/bin/aggregation/insecure/verify_shares_trbfv_wrapper/src/main.nr rename to circuits/bin/recursive_aggregation/wrapper/dkg/share_decryption/src/main.nr index 1135d82692..db5c034bab 100644 --- a/circuits/bin/aggregation/insecure/verify_shares_trbfv_wrapper/src/main.nr +++ b/circuits/bin/recursive_aggregation/wrapper/dkg/share_decryption/src/main.nr @@ -5,12 +5,14 @@ // or FITNESS FOR A PARTICULAR PURPOSE. use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; +use lib::configs::default::dkg::L_THRESHOLD; +use lib::configs::default::H; +use lib::math::commitments::compute_recursive_aggregation_commitment; // Number of proofs. pub global N_PROOFS: u32 = 2; /// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 11; +pub global N_PUBLIC_INPUTS: u32 = (H * L_THRESHOLD) + 1; fn main( verification_key: UltraHonkVerificationKey, @@ -30,5 +32,5 @@ fn main( } } - compute_aggregation_commitment(aggregated_public_inputs) + compute_recursive_aggregation_commitment(aggregated_public_inputs) } diff --git a/circuits/bin/aggregation/production/dec_bfv_wrapper/Nargo.toml b/circuits/bin/recursive_aggregation/wrapper/dkg/share_encryption/Nargo.toml similarity index 81% rename from circuits/bin/aggregation/production/dec_bfv_wrapper/Nargo.toml rename to circuits/bin/recursive_aggregation/wrapper/dkg/share_encryption/Nargo.toml index dce69a5e29..55c25b4518 100644 --- a/circuits/bin/aggregation/production/dec_bfv_wrapper/Nargo.toml +++ b/circuits/bin/recursive_aggregation/wrapper/dkg/share_encryption/Nargo.toml @@ -1,9 +1,9 @@ [package] -name = "dec_bfv_wrapper" +name = "share_encryption" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" [dependencies] -lib = { path = "../../../../lib" } +lib = { path = "../../../../../lib" } bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/insecure/enc_bfv_wrapper/src/main.nr b/circuits/bin/recursive_aggregation/wrapper/dkg/share_encryption/src/main.nr similarity index 79% rename from circuits/bin/aggregation/insecure/enc_bfv_wrapper/src/main.nr rename to circuits/bin/recursive_aggregation/wrapper/dkg/share_encryption/src/main.nr index e313a80056..9f80e24030 100644 --- a/circuits/bin/aggregation/insecure/enc_bfv_wrapper/src/main.nr +++ b/circuits/bin/recursive_aggregation/wrapper/dkg/share_encryption/src/main.nr @@ -5,12 +5,15 @@ // or FITNESS FOR A PARTICULAR PURPOSE. use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; +use lib::{ + configs::default::dkg::{L, N}, + math::commitments::compute_recursive_aggregation_commitment, +}; // Number of proofs. pub global N_PROOFS: u32 = 2; /// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 1026; +pub global N_PUBLIC_INPUTS: u32 = (2 * L * N) + 2; fn main( verification_key: UltraHonkVerificationKey, @@ -30,5 +33,5 @@ fn main( } } - compute_aggregation_commitment(aggregated_public_inputs) + compute_recursive_aggregation_commitment(aggregated_public_inputs) } diff --git a/circuits/bin/recursive_aggregation/wrapper/threshold/Nargo.toml b/circuits/bin/recursive_aggregation/wrapper/threshold/Nargo.toml new file mode 100644 index 0000000000..6de3740c61 --- /dev/null +++ b/circuits/bin/recursive_aggregation/wrapper/threshold/Nargo.toml @@ -0,0 +1,7 @@ +[workspace] +members = [ + "pk_generation", + "pk_aggregation", + "share_decryption", + "decrypted_shares_aggregation" +] \ No newline at end of file diff --git a/circuits/bin/aggregation/insecure/dec_share_trbfv_wrapper/Nargo.toml b/circuits/bin/recursive_aggregation/wrapper/threshold/decrypted_shares_aggregation/Nargo.toml similarity index 78% rename from circuits/bin/aggregation/insecure/dec_share_trbfv_wrapper/Nargo.toml rename to circuits/bin/recursive_aggregation/wrapper/threshold/decrypted_shares_aggregation/Nargo.toml index 71d46d5a18..2cf6fdaa1f 100644 --- a/circuits/bin/aggregation/insecure/dec_share_trbfv_wrapper/Nargo.toml +++ b/circuits/bin/recursive_aggregation/wrapper/threshold/decrypted_shares_aggregation/Nargo.toml @@ -1,9 +1,9 @@ [package] -name = "dec_share_trbfv_wrapper" +name = "decrypted_shares_aggregation" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" [dependencies] -lib = { path = "../../../../lib" } +lib = { path = "../../../../../lib" } bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/recursive_aggregation/wrapper/threshold/decrypted_shares_aggregation/src/main.nr b/circuits/bin/recursive_aggregation/wrapper/threshold/decrypted_shares_aggregation/src/main.nr new file mode 100644 index 0000000000..a641ba596c --- /dev/null +++ b/circuits/bin/recursive_aggregation/wrapper/threshold/decrypted_shares_aggregation/src/main.nr @@ -0,0 +1,38 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; +use lib::{ + configs::default::{MAX_MSG_NON_ZERO_COEFFS, T, threshold::L}, + math::commitments::compute_recursive_aggregation_commitment, +}; + +// Number of proofs. +pub global N_PROOFS: u32 = 1; +/// Number of public inputs/outputs per proof. +pub global N_PUBLIC_INPUTS: u32 = + ((T + 1) * L * MAX_MSG_NON_ZERO_COEFFS) + (T + 1 + MAX_MSG_NON_ZERO_COEFFS); + +fn main( + verification_key: UltraHonkVerificationKey, + proofs: [UltraHonkProof; N_PROOFS], + public_inputs: pub [[Field; N_PUBLIC_INPUTS]; N_PROOFS], + key_hash: Field, +) -> pub Field { + for i in 0..N_PROOFS { + verify_ultrahonk_proof(verification_key, proofs[i], public_inputs[i], key_hash); + } + + let mut aggregated_public_inputs = Vec::new(); + + for i in 0..N_PROOFS { + for j in 0..N_PUBLIC_INPUTS { + aggregated_public_inputs.push(public_inputs[i][j]); + } + } + + compute_recursive_aggregation_commitment(aggregated_public_inputs) +} diff --git a/circuits/bin/aggregation/insecure/enc_bfv_wrapper/Nargo.toml b/circuits/bin/recursive_aggregation/wrapper/threshold/pk_aggregation/Nargo.toml similarity index 81% rename from circuits/bin/aggregation/insecure/enc_bfv_wrapper/Nargo.toml rename to circuits/bin/recursive_aggregation/wrapper/threshold/pk_aggregation/Nargo.toml index 40ab5f97e6..6c1f18cf2b 100644 --- a/circuits/bin/aggregation/insecure/enc_bfv_wrapper/Nargo.toml +++ b/circuits/bin/recursive_aggregation/wrapper/threshold/pk_aggregation/Nargo.toml @@ -1,9 +1,9 @@ [package] -name = "enc_bfv_wrapper" +name = "pk_aggregation" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" [dependencies] -lib = { path = "../../../../lib" } +lib = { path = "../../../../../lib" } bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/insecure/dec_share_trbfv_wrapper/src/main.nr b/circuits/bin/recursive_aggregation/wrapper/threshold/pk_aggregation/src/main.nr similarity index 81% rename from circuits/bin/aggregation/insecure/dec_share_trbfv_wrapper/src/main.nr rename to circuits/bin/recursive_aggregation/wrapper/threshold/pk_aggregation/src/main.nr index a6ef2a7033..5186463df8 100644 --- a/circuits/bin/aggregation/insecure/dec_share_trbfv_wrapper/src/main.nr +++ b/circuits/bin/recursive_aggregation/wrapper/threshold/pk_aggregation/src/main.nr @@ -5,12 +5,12 @@ // or FITNESS FOR A PARTICULAR PURPOSE. use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; +use lib::{configs::default::H, math::commitments::compute_recursive_aggregation_commitment}; // Number of proofs. pub global N_PROOFS: u32 = 1; /// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 3074; +pub global N_PUBLIC_INPUTS: u32 = H + 1; fn main( verification_key: UltraHonkVerificationKey, @@ -30,5 +30,5 @@ fn main( } } - compute_aggregation_commitment(aggregated_public_inputs) + compute_recursive_aggregation_commitment(aggregated_public_inputs) } diff --git a/circuits/bin/aggregation/insecure/pk_trbfv_wrapper/Nargo.toml b/circuits/bin/recursive_aggregation/wrapper/threshold/pk_generation/Nargo.toml similarity index 81% rename from circuits/bin/aggregation/insecure/pk_trbfv_wrapper/Nargo.toml rename to circuits/bin/recursive_aggregation/wrapper/threshold/pk_generation/Nargo.toml index 42756d468c..4809773695 100644 --- a/circuits/bin/aggregation/insecure/pk_trbfv_wrapper/Nargo.toml +++ b/circuits/bin/recursive_aggregation/wrapper/threshold/pk_generation/Nargo.toml @@ -1,9 +1,9 @@ [package] -name = "pk_trbfv_wrapper" +name = "pk_generation" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" [dependencies] -lib = { path = "../../../../lib" } +lib = { path = "../../../../../lib" } bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/insecure/dec_shares_agg_trbfv_wrapper/src/main.nr b/circuits/bin/recursive_aggregation/wrapper/threshold/pk_generation/src/main.nr similarity index 79% rename from circuits/bin/aggregation/insecure/dec_shares_agg_trbfv_wrapper/src/main.nr rename to circuits/bin/recursive_aggregation/wrapper/threshold/pk_generation/src/main.nr index 28b73825a7..92bff2ca5a 100644 --- a/circuits/bin/aggregation/insecure/dec_shares_agg_trbfv_wrapper/src/main.nr +++ b/circuits/bin/recursive_aggregation/wrapper/threshold/pk_generation/src/main.nr @@ -5,12 +5,13 @@ // or FITNESS FOR A PARTICULAR PURPOSE. use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; +use lib::configs::default::threshold::{L, N}; +use lib::math::commitments::compute_recursive_aggregation_commitment; // Number of proofs. pub global N_PROOFS: u32 = 1; /// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 563; +pub global N_PUBLIC_INPUTS: u32 = (L * N) + 3; fn main( verification_key: UltraHonkVerificationKey, @@ -30,5 +31,5 @@ fn main( } } - compute_aggregation_commitment(aggregated_public_inputs) + compute_recursive_aggregation_commitment(aggregated_public_inputs) } diff --git a/circuits/bin/recursive_aggregation/wrapper/threshold/share_decryption/Nargo.toml b/circuits/bin/recursive_aggregation/wrapper/threshold/share_decryption/Nargo.toml new file mode 100644 index 0000000000..712fab69c3 --- /dev/null +++ b/circuits/bin/recursive_aggregation/wrapper/threshold/share_decryption/Nargo.toml @@ -0,0 +1,9 @@ +[package] +name = "share_decryption" +type = "bin" +authors = ["Gnosis Guild / Enclave"] +version = "1.0.0-beta.15" + +[dependencies] +lib = { path = "../../../../../lib" } +bb_proof_verification = { git = "https://github.com/AztecProtocol/aztec-packages/", tag = "v3.0.0-nightly.20251104", directory = "barretenberg/noir/bb_proof_verification" } \ No newline at end of file diff --git a/circuits/bin/aggregation/insecure/pk_trbfv_wrapper/src/main.nr b/circuits/bin/recursive_aggregation/wrapper/threshold/share_decryption/src/main.nr similarity index 79% rename from circuits/bin/aggregation/insecure/pk_trbfv_wrapper/src/main.nr rename to circuits/bin/recursive_aggregation/wrapper/threshold/share_decryption/src/main.nr index 0be092170e..eaa31fd7d2 100644 --- a/circuits/bin/aggregation/insecure/pk_trbfv_wrapper/src/main.nr +++ b/circuits/bin/recursive_aggregation/wrapper/threshold/share_decryption/src/main.nr @@ -5,12 +5,13 @@ // or FITNESS FOR A PARTICULAR PURPOSE. use bb_proof_verification::{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}; -use lib::math::commitments::compute_aggregation_commitment; +use lib::configs::default::threshold::{L, N}; +use lib::math::commitments::compute_recursive_aggregation_commitment; // Number of proofs. pub global N_PROOFS: u32 = 1; /// Number of public inputs/outputs per proof. -pub global N_PUBLIC_INPUTS: u32 = 1027; +pub global N_PUBLIC_INPUTS: u32 = 2 + 3 * L * N; fn main( verification_key: UltraHonkVerificationKey, @@ -30,5 +31,5 @@ fn main( } } - compute_aggregation_commitment(aggregated_public_inputs) + compute_recursive_aggregation_commitment(aggregated_public_inputs) } diff --git a/circuits/bin/threshold/Nargo.toml b/circuits/bin/threshold/Nargo.toml new file mode 100644 index 0000000000..852e24d056 --- /dev/null +++ b/circuits/bin/threshold/Nargo.toml @@ -0,0 +1,8 @@ +[workspace] +members = [ + "pk_generation", + "pk_aggregation", + "user_data_encryption", + "share_decryption", + "decrypted_shares_aggregation" +] \ No newline at end of file diff --git a/circuits/bin/threshold/decrypted_shares_aggregation_bn/Nargo.toml b/circuits/bin/threshold/decrypted_shares_aggregation_bn/Nargo.toml new file mode 100644 index 0000000000..55b7c2948d --- /dev/null +++ b/circuits/bin/threshold/decrypted_shares_aggregation_bn/Nargo.toml @@ -0,0 +1,9 @@ +[package] +name = "decrypted_shares_aggregation" +type = "bin" +authors = ["Gnosis Guild / Enclave"] +version = "1.0.0-beta.15" + + +[dependencies] +lib = { path = "../../../lib" } diff --git a/circuits/bin/threshold/decrypted_shares_aggregation_bn/README.md b/circuits/bin/threshold/decrypted_shares_aggregation_bn/README.md new file mode 100644 index 0000000000..707a1cdd49 --- /dev/null +++ b/circuits/bin/threshold/decrypted_shares_aggregation_bn/README.md @@ -0,0 +1 @@ +instantiation of Decrypted Shares Aggregation circuit with BigNum (for large Q values) (PVSS #7) diff --git a/circuits/bin/production/dec_shares_agg_trbfv/src/main.nr b/circuits/bin/threshold/decrypted_shares_aggregation_bn/src/main.nr similarity index 53% rename from circuits/bin/production/dec_shares_agg_trbfv/src/main.nr rename to circuits/bin/threshold/decrypted_shares_aggregation_bn/src/main.nr index 1204a9ca3f..25693a810e 100644 --- a/circuits/bin/production/dec_shares_agg_trbfv/src/main.nr +++ b/circuits/bin/threshold/decrypted_shares_aggregation_bn/src/main.nr @@ -4,15 +4,13 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -use lib::configs::production::trbfv::{DEC_SHARES_AGG_BIT_NOISE, DEC_SHARES_AGG_CONFIGS, L}; -use lib::core::trbfv_dec_shares_agg::DecryptionSharesAggregation; +use lib::configs::default::{MAX_MSG_NON_ZERO_COEFFS, T}; +use lib::configs::default::threshold::{ + DECRYPTED_SHARES_AGGREGATION_BIT_NOISE, DECRYPTED_SHARES_AGGREGATION_CONFIGS, L, +}; +use lib::core::threshold::decrypted_shares_aggregation::DecryptedSharesAggregationBigNum; use lib::math::polynomial::Polynomial; -/// Max number of non-zero coefficients in the message polynomial. -pub global MAX_MSG_NON_ZERO_COEFFS: u32 = 80; -/// Threshold. -pub global T: u32 = 2; - fn main( decryption_shares: pub [[Polynomial; L]; T + 1], party_ids: pub [Field; T + 1], @@ -20,8 +18,8 @@ fn main( u_global: Polynomial, crt_quotients: [Polynomial; L], ) { - let dec_share_agg: DecryptionSharesAggregation = DecryptionSharesAggregation::new( - DEC_SHARES_AGG_CONFIGS, + let decrypted_shares_aggregation: DecryptedSharesAggregationBigNum = DecryptedSharesAggregationBigNum::new( + DECRYPTED_SHARES_AGGREGATION_CONFIGS, decryption_shares, party_ids, message, @@ -29,5 +27,5 @@ fn main( crt_quotients, ); - dec_share_agg.verify(); + decrypted_shares_aggregation.execute(); } diff --git a/circuits/bin/threshold/decrypted_shares_aggregation_mod/Nargo.toml b/circuits/bin/threshold/decrypted_shares_aggregation_mod/Nargo.toml new file mode 100644 index 0000000000..55b7c2948d --- /dev/null +++ b/circuits/bin/threshold/decrypted_shares_aggregation_mod/Nargo.toml @@ -0,0 +1,9 @@ +[package] +name = "decrypted_shares_aggregation" +type = "bin" +authors = ["Gnosis Guild / Enclave"] +version = "1.0.0-beta.15" + + +[dependencies] +lib = { path = "../../../lib" } diff --git a/circuits/bin/threshold/decrypted_shares_aggregation_mod/README.md b/circuits/bin/threshold/decrypted_shares_aggregation_mod/README.md new file mode 100644 index 0000000000..05dbe220ab --- /dev/null +++ b/circuits/bin/threshold/decrypted_shares_aggregation_mod/README.md @@ -0,0 +1,2 @@ +instantiation of Decrypted Shares Aggregation circuit with modular arithmetic (for Q < 128bit) (PVSS +#7) diff --git a/circuits/bin/insecure/dec_shares_agg_trbfv/src/main.nr b/circuits/bin/threshold/decrypted_shares_aggregation_mod/src/main.nr similarity index 53% rename from circuits/bin/insecure/dec_shares_agg_trbfv/src/main.nr rename to circuits/bin/threshold/decrypted_shares_aggregation_mod/src/main.nr index 98b2124ce4..94e2a695af 100644 --- a/circuits/bin/insecure/dec_shares_agg_trbfv/src/main.nr +++ b/circuits/bin/threshold/decrypted_shares_aggregation_mod/src/main.nr @@ -4,15 +4,13 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -use lib::configs::insecure::trbfv::{DEC_SHARES_AGG_BIT_NOISE, DEC_SHARES_AGG_CONFIGS, L}; -use lib::core::trbfv_dec_shares_agg::DecryptionSharesAggregation; +use lib::configs::default::{MAX_MSG_NON_ZERO_COEFFS, T}; +use lib::configs::default::threshold::{ + DECRYPTED_SHARES_AGGREGATION_BIT_NOISE, DECRYPTED_SHARES_AGGREGATION_CONFIGS, L, +}; +use lib::core::threshold::decrypted_shares_aggregation::DecryptedSharesAggregationModular; use lib::math::polynomial::Polynomial; -/// Max number of non-zero coefficients in the message polynomial. -pub global MAX_MSG_NON_ZERO_COEFFS: u32 = 80; -/// Threshold. -pub global T: u32 = 2; - fn main( decryption_shares: pub [[Polynomial; L]; T + 1], party_ids: pub [Field; T + 1], @@ -20,8 +18,8 @@ fn main( u_global: Polynomial, crt_quotients: [Polynomial; L], ) { - let dec_share_agg: DecryptionSharesAggregation = DecryptionSharesAggregation::new( - DEC_SHARES_AGG_CONFIGS, + let decrypted_shares_aggregation: DecryptedSharesAggregationModular = DecryptedSharesAggregationModular::new( + DECRYPTED_SHARES_AGGREGATION_CONFIGS, decryption_shares, party_ids, message, @@ -29,5 +27,5 @@ fn main( crt_quotients, ); - dec_share_agg.verify_no_bn(); + decrypted_shares_aggregation.execute(); } diff --git a/circuits/bin/insecure/dec_bfv_sk/Nargo.toml b/circuits/bin/threshold/pk_aggregation/Nargo.toml similarity index 84% rename from circuits/bin/insecure/dec_bfv_sk/Nargo.toml rename to circuits/bin/threshold/pk_aggregation/Nargo.toml index ad3b7f7f8c..1dd39a6acb 100644 --- a/circuits/bin/insecure/dec_bfv_sk/Nargo.toml +++ b/circuits/bin/threshold/pk_aggregation/Nargo.toml @@ -1,9 +1,8 @@ [package] -name = "dec_bfv_sk" +name = "pk_aggregation" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" - [dependencies] lib = { path = "../../../lib" } diff --git a/circuits/bin/threshold/pk_aggregation/README.md b/circuits/bin/threshold/pk_aggregation/README.md new file mode 100644 index 0000000000..7644350ebc --- /dev/null +++ b/circuits/bin/threshold/pk_aggregation/README.md @@ -0,0 +1 @@ +instantiation of Threshold Public Key Aggregation circuit (PVSS #5) diff --git a/circuits/bin/insecure/pk_agg_trbfv/src/main.nr b/circuits/bin/threshold/pk_aggregation/src/main.nr similarity index 50% rename from circuits/bin/insecure/pk_agg_trbfv/src/main.nr rename to circuits/bin/threshold/pk_aggregation/src/main.nr index 98e57a0801..0ef023adb8 100644 --- a/circuits/bin/insecure/pk_agg_trbfv/src/main.nr +++ b/circuits/bin/threshold/pk_aggregation/src/main.nr @@ -4,28 +4,26 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -use lib::configs::insecure::trbfv::{L, N, PK_AGG_TRBFV_BIT_PK, PK_AGG_TRBFV_CONFIGS}; -use lib::core::trbfv_pk_agg::TrbfvPublicKeyAggregation; +use lib::configs::default::H; +use lib::configs::default::threshold::{L, N, PK_AGGREGATION_BIT_PK, PK_AGGREGATION_CONFIGS}; +use lib::core::threshold::pk_aggregation::PkAggregation; use lib::math::polynomial::Polynomial; -/// Number of honest parties. -pub global H: u32 = 5; - fn main( - expected_pk_trbfv_commitments: pub [Field; H], + expected_threshold_pk_commitments: pub [Field; H], pk0: [[Polynomial; L]; H], pk1: [[Polynomial; L]; H], pk0_agg: [Polynomial; L], pk1_agg: [Polynomial; L], ) -> pub Field { - let pk_agg_trbfv: TrbfvPublicKeyAggregation = TrbfvPublicKeyAggregation::new( - PK_AGG_TRBFV_CONFIGS, - expected_pk_trbfv_commitments, + let pk_aggregation: PkAggregation = PkAggregation::new( + PK_AGGREGATION_CONFIGS, + expected_threshold_pk_commitments, pk0, pk1, pk0_agg, pk1_agg, ); - pk_agg_trbfv.verify() + pk_aggregation.execute() } diff --git a/circuits/bin/insecure/dec_bfv_e_sm/Nargo.toml b/circuits/bin/threshold/pk_generation/Nargo.toml similarity index 85% rename from circuits/bin/insecure/dec_bfv_e_sm/Nargo.toml rename to circuits/bin/threshold/pk_generation/Nargo.toml index f72554aadf..66fa180131 100644 --- a/circuits/bin/insecure/dec_bfv_e_sm/Nargo.toml +++ b/circuits/bin/threshold/pk_generation/Nargo.toml @@ -1,9 +1,8 @@ [package] -name = "dec_bfv_e_sm" +name = "pk_generation" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" - [dependencies] lib = { path = "../../../lib" } diff --git a/circuits/bin/threshold/pk_generation/README.md b/circuits/bin/threshold/pk_generation/README.md new file mode 100644 index 0000000000..57a498a870 --- /dev/null +++ b/circuits/bin/threshold/pk_generation/README.md @@ -0,0 +1 @@ +instantiation of correct Threshold Public Key Generation circuit (PVSS #1) diff --git a/circuits/bin/threshold/pk_generation/src/main.nr b/circuits/bin/threshold/pk_generation/src/main.nr new file mode 100644 index 0000000000..36ba52798f --- /dev/null +++ b/circuits/bin/threshold/pk_generation/src/main.nr @@ -0,0 +1,36 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use lib::configs::default::threshold::{ + L, N, PK_GENERATION_BIT_E_SM, PK_GENERATION_BIT_EEK, PK_GENERATION_BIT_PK, PK_GENERATION_BIT_R1, + PK_GENERATION_BIT_R2, PK_GENERATION_BIT_SK, PK_GENERATION_CONFIGS, +}; +use lib::core::threshold::pk_generation::PkGeneration; +use lib::math::polynomial::Polynomial; + +fn main( + a: pub [Polynomial; L], + eek: Polynomial, + sk: Polynomial, + e_sm: [Polynomial; L], + r1is: [Polynomial<(2 * N) - 1>; L], + r2is: [Polynomial; L], + pk0is: [Polynomial; L], + pk1is: [Polynomial; L], +) -> pub (Field, Field, Field) { + let pk_generation: PkGeneration = PkGeneration::new( + PK_GENERATION_CONFIGS, + a, + eek, + sk, + e_sm, + r1is, + r2is, + pk0is, + pk1is, + ); + pk_generation.execute() +} diff --git a/circuits/bin/insecure/dec_share_trbfv/Nargo.toml b/circuits/bin/threshold/share_decryption/Nargo.toml similarity index 83% rename from circuits/bin/insecure/dec_share_trbfv/Nargo.toml rename to circuits/bin/threshold/share_decryption/Nargo.toml index cc6b5f1e6b..10c7fc9cd4 100644 --- a/circuits/bin/insecure/dec_share_trbfv/Nargo.toml +++ b/circuits/bin/threshold/share_decryption/Nargo.toml @@ -1,5 +1,5 @@ [package] -name = "dec_share_trbfv" +name = "share_decryption" type = "bin" authors = ["Gnosis Guild / Enclave"] version = "1.0.0-beta.15" diff --git a/circuits/bin/threshold/share_decryption/README.md b/circuits/bin/threshold/share_decryption/README.md new file mode 100644 index 0000000000..07caf5bb80 --- /dev/null +++ b/circuits/bin/threshold/share_decryption/README.md @@ -0,0 +1 @@ +instantiation of Threshold Share Decryption circuit (PVSS #6) diff --git a/circuits/bin/threshold/share_decryption/src/main.nr b/circuits/bin/threshold/share_decryption/src/main.nr new file mode 100644 index 0000000000..c2285bed5c --- /dev/null +++ b/circuits/bin/threshold/share_decryption/src/main.nr @@ -0,0 +1,39 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use lib::configs::default::threshold::{ + L, N, SHARE_DECRYPTION_BIT_CT, SHARE_DECRYPTION_BIT_D, SHARE_DECRYPTION_BIT_E_SM, + SHARE_DECRYPTION_BIT_R1, SHARE_DECRYPTION_BIT_R2, SHARE_DECRYPTION_BIT_SK, + SHARE_DECRYPTION_CONFIGS, +}; +use lib::core::threshold::share_decryption::ShareDecryption; +use lib::math::polynomial::Polynomial; + +fn main( + expected_sk_commitment: pub Field, + expected_e_sm_commitment: pub Field, + c_0: pub [Polynomial; L], + c_1: pub [Polynomial; L], + sk: [Polynomial; L], + e_sm: [Polynomial; L], + r_1: [Polynomial<(2 * N) - 1>; L], + r_2: [Polynomial; L], + d: [Polynomial; L], +) { + let share_decryption: ShareDecryption = ShareDecryption::new( + SHARE_DECRYPTION_CONFIGS, + expected_sk_commitment, + expected_e_sm_commitment, + c_0, + c_1, + sk, + e_sm, + r_1, + r_2, + d, + ); + share_decryption.execute() +} diff --git a/circuits/bin/threshold/user_data_encryption/Nargo.toml b/circuits/bin/threshold/user_data_encryption/Nargo.toml new file mode 100644 index 0000000000..764bea6a63 --- /dev/null +++ b/circuits/bin/threshold/user_data_encryption/Nargo.toml @@ -0,0 +1,9 @@ +[package] +name = "user_data_encryption" +type = "bin" +authors = ["Gnosis Guild / Enclave"] +version = "1.0.0-beta.15" + + +[dependencies] +lib = { path = "../../../lib" } diff --git a/circuits/bin/threshold/user_data_encryption/README.md b/circuits/bin/threshold/user_data_encryption/README.md new file mode 100644 index 0000000000..6486a4429c --- /dev/null +++ b/circuits/bin/threshold/user_data_encryption/README.md @@ -0,0 +1 @@ +instantiation of Correct Threshold BFV Public Key User Data Encryption (Greco) diff --git a/circuits/bin/threshold/user_data_encryption/src/main.nr b/circuits/bin/threshold/user_data_encryption/src/main.nr new file mode 100644 index 0000000000..66de56865a --- /dev/null +++ b/circuits/bin/threshold/user_data_encryption/src/main.nr @@ -0,0 +1,53 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use lib::configs::default::threshold::{ + L, N, USER_DATA_ENCRYPTION_BIT_CT, USER_DATA_ENCRYPTION_BIT_E0, USER_DATA_ENCRYPTION_BIT_E1, + USER_DATA_ENCRYPTION_BIT_K, USER_DATA_ENCRYPTION_BIT_P1, USER_DATA_ENCRYPTION_BIT_P2, + USER_DATA_ENCRYPTION_BIT_PK, USER_DATA_ENCRYPTION_BIT_R1, USER_DATA_ENCRYPTION_BIT_R2, + USER_DATA_ENCRYPTION_BIT_U, USER_DATA_ENCRYPTION_CONFIGS, +}; +use lib::core::threshold::user_data_encryption::UserDataEncryption; +use lib::math::polynomial::Polynomial; + +fn main( + pk_commitment: pub Field, + pk0is: [Polynomial; L], + pk1is: [Polynomial; L], + ct0is: [Polynomial; L], + ct1is: [Polynomial; L], + u: Polynomial, + e0: Polynomial, + e1: Polynomial, + e0is: [Polynomial; L], + e0_quotients: [Polynomial; L], + k1: Polynomial, + r1is: [Polynomial<(2 * N) - 1>; L], + r2is: [Polynomial; L], + p1is: [Polynomial<(2 * N) - 1>; L], + p2is: [Polynomial; L], +) { + let user_data_encryption: UserDataEncryption = UserDataEncryption::new( + USER_DATA_ENCRYPTION_CONFIGS, + pk_commitment, + pk0is, + pk1is, + ct0is, + ct1is, + u, + e0, + e0is, + e0_quotients, + e1, + k1, + r1is, + r2is, + p1is, + p2is, + ); + let is_user_data_encryption_valid = user_data_encryption.execute(); + assert(is_user_data_encryption_valid); +} diff --git a/circuits/lib/Nargo.toml b/circuits/lib/Nargo.toml index cf47352b02..5602a4b52b 100644 --- a/circuits/lib/Nargo.toml +++ b/circuits/lib/Nargo.toml @@ -7,4 +7,4 @@ version = "1.0.0-beta.15" [dependencies] poseidon = { tag = "v0.1.1", git = "https://github.com/noir-lang/poseidon" } keccak256 = { tag = "v0.1.1", git = "https://github.com/noir-lang/keccak256" } -bignum = { tag = "v0.0.2", git = "https://github.com/gnosisguild/noir-bignum" } \ No newline at end of file +bignum = { tag = "v0.0.3", git = "https://github.com/gnosisguild/noir-bignum" } \ No newline at end of file diff --git a/circuits/lib/src/configs/production/mod.nr b/circuits/lib/src/configs/committee/mod.nr similarity index 87% rename from circuits/lib/src/configs/production/mod.nr rename to circuits/lib/src/configs/committee/mod.nr index 2d2beb97b1..3376ead18d 100644 --- a/circuits/lib/src/configs/production/mod.nr +++ b/circuits/lib/src/configs/committee/mod.nr @@ -4,5 +4,4 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -pub mod bfv; -pub mod trbfv; +pub mod small; diff --git a/circuits/lib/src/configs/committee/small.nr b/circuits/lib/src/configs/committee/small.nr new file mode 100644 index 0000000000..9d037d65f7 --- /dev/null +++ b/circuits/lib/src/configs/committee/small.nr @@ -0,0 +1,15 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +/// Currently defaults to just small committee size. +/// In the future, we will add more committee sizes. + +/// Number of parties. +pub global N_PARTIES: u32 = 5; +/// Threshold. +pub global T: u32 = 2; +/// Number of honest parties. +pub global H: u32 = 5; diff --git a/circuits/lib/src/configs/default/mod.nr b/circuits/lib/src/configs/default/mod.nr new file mode 100644 index 0000000000..e1d4793718 --- /dev/null +++ b/circuits/lib/src/configs/default/mod.nr @@ -0,0 +1,16 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. +// +// Unico punto in cui si cambia il param-set: re-esporta insecure o production +// (in futuro altri param-set). I circuiti usano tutti lib::configs::default::*. + +pub use super::committee::small::{H, N_PARTIES, T}; +pub use super::insecure::dkg; +pub use super::insecure::threshold; + +/// Max number of non-zero coefficients in the message polynomial. +/// This is a conservative estimate that should be okay for most use cases. +pub global MAX_MSG_NON_ZERO_COEFFS: u32 = 80; diff --git a/circuits/lib/src/configs/insecure/bfv.nr b/circuits/lib/src/configs/insecure/bfv.nr deleted file mode 100644 index cb9681e600..0000000000 --- a/circuits/lib/src/configs/insecure/bfv.nr +++ /dev/null @@ -1,120 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use crate::core::bfv_enc::Configs as BfvEncConfigs; - -// Global configs for BFV Decryption circuit -pub global N: u32 = 512; -pub global L_TRBFV: u32 = 2; -pub global L_PRIME: u32 = 1; -pub global QIS: [Field; L_PRIME] = [2251799813554177]; -pub global TRBFV_QIS: [Field; L_TRBFV] = [68719403009, 68719230977]; -pub global L: u32 = 1; -pub global Q_MOD_T: Field = 1082658244788225; -pub global BFV_Q_INVERSE_MOD_T: Field = 39210117854; -pub global BFV_PLAINTEXT_MODULUS: Field = 68719403009; - -/************************************ -------------------------------------- -pk_bfv (CIRCUIT 0 - PUBLIC KEY BFV) -------------------------------------- -************************************/ - -// pk_bfv - bit parameters -pub global PK_BFV_BIT_PK: u32 = 50; - -/************************************ -------------------------------------- -enc_bfv (CIRCUIT 3a - BFV ENCRYPTION SK) -------------------------------------- -************************************/ - -// enc_bfv - bit parameters -pub global ENC_BFV_BIT_PK: u32 = 51; -pub global ENC_BFV_BIT_CT: u32 = 51; -pub global ENC_BFV_BIT_U: u32 = 2; -pub global ENC_BFV_BIT_E0: u32 = 4; -pub global ENC_BFV_BIT_E1: u32 = 4; -pub global ENC_BFV_BIT_MSG: u32 = 37; -pub global ENC_BFV_BIT_R1: u32 = 36; -pub global ENC_BFV_BIT_R2: u32 = 51; -pub global ENC_BFV_BIT_P1: u32 = 10; -pub global ENC_BFV_BIT_P2: u32 = 51; - -// enc_bfv - bounds -pub global ENC_BFV_T: Field = 68719403009; -pub global ENC_BFV_Q_MOD_T: Field = 2415755265; -pub global ENC_BFV_K0IS: [Field; L] = [1284838520228573]; -pub global ENC_BFV_PK_BOUNDS: [Field; L] = [1125899906777088]; -pub global ENC_BFV_E0_BOUND: Field = 6; -pub global ENC_BFV_E1_BOUND: Field = 6; -pub global ENC_BFV_U_BOUND: Field = 1; -pub global ENC_BFV_R1_LOW_BOUNDS: [Field; L] = [19605059183]; -pub global ENC_BFV_R1_UP_BOUNDS: [Field; L] = [19605059183]; -pub global ENC_BFV_R2_BOUNDS: [Field; L] = [1125899906777088]; -pub global ENC_BFV_P1_BOUNDS: [Field; L] = [256]; -pub global ENC_BFV_P2_BOUNDS: [Field; L] = [1125899906777088]; -pub global ENC_BFV_MSG_BOUND: Field = 68719403008; - -// enc_bfv - configs -pub global ENC_BFV_CONFIGS_SK: BfvEncConfigs = BfvEncConfigs::new( - ENC_BFV_T, - ENC_BFV_Q_MOD_T, - QIS, - ENC_BFV_K0IS, - ENC_BFV_PK_BOUNDS, - ENC_BFV_E0_BOUND, - ENC_BFV_E1_BOUND, - ENC_BFV_U_BOUND, - ENC_BFV_R1_LOW_BOUNDS, - ENC_BFV_R1_UP_BOUNDS, - ENC_BFV_R2_BOUNDS, - ENC_BFV_P1_BOUNDS, - ENC_BFV_P2_BOUNDS, - ENC_BFV_MSG_BOUND, -); - -/************************************ -------------------------------------- -enc_bfv (CIRCUIT 3b - BFV ENCRYPTION E_SM) -------------------------------------- -************************************/ - -// enc_bfv E_SM uses the same bit parameters and bounds as SK -pub global ENC_BFV_CONFIGS_E_SM: BfvEncConfigs = BfvEncConfigs::new( - ENC_BFV_T, - ENC_BFV_Q_MOD_T, - QIS, - ENC_BFV_K0IS, - ENC_BFV_PK_BOUNDS, - ENC_BFV_E0_BOUND, - ENC_BFV_E1_BOUND, - ENC_BFV_U_BOUND, - ENC_BFV_R1_LOW_BOUNDS, - ENC_BFV_R1_UP_BOUNDS, - ENC_BFV_R2_BOUNDS, - ENC_BFV_P1_BOUNDS, - ENC_BFV_P2_BOUNDS, - ENC_BFV_MSG_BOUND, -); - -/************************************ -------------------------------------- -dec_bfv (CIRCUIT 4a - BFV DECRYPTION SK) -------------------------------------- -************************************/ - -// dec_bfv - bit parameters -pub global DEC_BFV_BIT_MSG_SK: u32 = 37; - -/************************************ -------------------------------------- -dec_bfv (CIRCUIT 4b - BFV DECRYPTION E_SM) -------------------------------------- -************************************/ - -// dec_bfv - bit parameters -pub global DEC_BFV_BIT_MSG_E_SM: u32 = 37; diff --git a/circuits/lib/src/configs/insecure/dkg.nr b/circuits/lib/src/configs/insecure/dkg.nr new file mode 100644 index 0000000000..e1c3e3151a --- /dev/null +++ b/circuits/lib/src/configs/insecure/dkg.nr @@ -0,0 +1,162 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use crate::configs::default::{N_PARTIES, T}; +pub use crate::configs::insecure::threshold::{L as L_THRESHOLD, QIS as QIS_THRESHOLD}; +use crate::core::dkg::share_computation::Configs as ShareComputationConfigs; +use crate::core::dkg::share_encryption::Configs as ShareEncryptionConfigs; + +// Global configs for DKG insecure preset +pub global N: u32 = 512; +pub global L: u32 = 1; +pub global PLAINTEXT_MODULUS: Field = 68719403009; +pub global QIS: [Field; L] = [2251799813554177]; +pub global Q_MOD_T: Field = 1082658244788225; +pub global Q_INVERSE_MOD_T: Field = 39210117854; + +/************************************ +------------------------------------- +pk (CIRCUIT 0) +------------------------------------- +************************************/ + +// pk - bit parameters +pub global PK_BIT_PK: u32 = 50; + +/// Parity check matrix for each modulus. +/// PARITY_MATRIX[modulus_idx][row][col] where size is [L][N_PARTIES-T][N_PARTIES+1] +pub global PARITY_MATRIX: [[[Field; N_PARTIES + 1]; N_PARTIES - T]; L_THRESHOLD] = [ + [ + [68719403008, 3, 68719403006, 1, 0, 0], + [68719403006, 8, 68719403003, 0, 1, 0], + [68719403003, 15, 68719402999, 0, 0, 1], + ], + [ + [68719230976, 3, 68719230974, 1, 0, 0], + [68719230974, 8, 68719230971, 0, 1, 0], + [68719230971, 15, 68719230967, 0, 0, 1], + ], +]; + +/************************************ +------------------------------------- +share_computation_sk (CIRCUIT 2a) +------------------------------------- +************************************/ + +// share_computation_sk - bit parameters +pub global SHARE_COMPUTATION_BIT_SHARE: u32 = 37; +pub global SHARE_COMPUTATION_SK_BIT_SECRET: u32 = 2; + +// share_computation_sk - configs +pub global SHARE_COMPUTATION_SK_CONFIGS: ShareComputationConfigs = + ShareComputationConfigs::new(QIS_THRESHOLD); + +/************************************ +------------------------------------- +share_computation_e_sm (CIRCUIT 2b) +------------------------------------- +************************************/ + +// share_computation_e_sm - bit parameters +pub global SHARE_COMPUTATION_E_SM_BIT_SECRET: u32 = 18; + +// verify_shares - configs +pub global SHARE_COMPUTATION_E_SM_CONFIGS: ShareComputationConfigs = + ShareComputationConfigs::new(QIS_THRESHOLD); + +/************************************ +------------------------------------- +share_encryption_sk (CIRCUIT 3a) +------------------------------------- +************************************/ + +// share_encryption_sk - bit parameters +pub global SHARE_ENCRYPTION_BIT_PK: u32 = 51; +pub global SHARE_ENCRYPTION_BIT_CT: u32 = 51; +pub global SHARE_ENCRYPTION_BIT_U: u32 = 2; +pub global SHARE_ENCRYPTION_BIT_E0: u32 = 4; +pub global SHARE_ENCRYPTION_BIT_E1: u32 = 4; +pub global SHARE_ENCRYPTION_BIT_MSG: u32 = 37; +pub global SHARE_ENCRYPTION_BIT_R1: u32 = 36; +pub global SHARE_ENCRYPTION_BIT_R2: u32 = 51; +pub global SHARE_ENCRYPTION_BIT_P1: u32 = 10; +pub global SHARE_ENCRYPTION_BIT_P2: u32 = 51; + +// share_encryption_sk - bounds +pub global SHARE_ENCRYPTION_T: Field = 68719403009; +pub global SHARE_ENCRYPTION_Q_MOD_T: Field = 2415755265; +pub global SHARE_ENCRYPTION_K0IS: [Field; L] = [1284838520228573]; +pub global SHARE_ENCRYPTION_PK_BOUNDS: [Field; L] = [1125899906777088]; +pub global SHARE_ENCRYPTION_E0_BOUND: Field = 6; +pub global SHARE_ENCRYPTION_E1_BOUND: Field = 6; +pub global SHARE_ENCRYPTION_U_BOUND: Field = 1; +pub global SHARE_ENCRYPTION_R1_LOW_BOUNDS: [Field; L] = [19605059183]; +pub global SHARE_ENCRYPTION_R1_UP_BOUNDS: [Field; L] = [19605059183]; +pub global SHARE_ENCRYPTION_R2_BOUNDS: [Field; L] = [1125899906777088]; +pub global SHARE_ENCRYPTION_P1_BOUNDS: [Field; L] = [256]; +pub global SHARE_ENCRYPTION_P2_BOUNDS: [Field; L] = [1125899906777088]; +pub global SHARE_ENCRYPTION_MSG_BOUND: Field = 68719403008; + +// share_encryption_sk - configs +pub global SHARE_ENCRYPTION_CONFIGS_SK: ShareEncryptionConfigs = ShareEncryptionConfigs::new( + SHARE_ENCRYPTION_T, + SHARE_ENCRYPTION_Q_MOD_T, + QIS, + SHARE_ENCRYPTION_K0IS, + SHARE_ENCRYPTION_PK_BOUNDS, + SHARE_ENCRYPTION_E0_BOUND, + SHARE_ENCRYPTION_E1_BOUND, + SHARE_ENCRYPTION_U_BOUND, + SHARE_ENCRYPTION_R1_LOW_BOUNDS, + SHARE_ENCRYPTION_R1_UP_BOUNDS, + SHARE_ENCRYPTION_R2_BOUNDS, + SHARE_ENCRYPTION_P1_BOUNDS, + SHARE_ENCRYPTION_P2_BOUNDS, + SHARE_ENCRYPTION_MSG_BOUND, +); + +/************************************ +------------------------------------- +share_encryption_e_sm (CIRCUIT 3b) +------------------------------------- +************************************/ + +// share_encryption_e_sm uses the same bit parameters and bounds as share_encryption_sk +pub global SHARE_ENCRYPTION_CONFIGS_E_SM: ShareEncryptionConfigs = ShareEncryptionConfigs::new( + SHARE_ENCRYPTION_T, + SHARE_ENCRYPTION_Q_MOD_T, + QIS, + SHARE_ENCRYPTION_K0IS, + SHARE_ENCRYPTION_PK_BOUNDS, + SHARE_ENCRYPTION_E0_BOUND, + SHARE_ENCRYPTION_E1_BOUND, + SHARE_ENCRYPTION_U_BOUND, + SHARE_ENCRYPTION_R1_LOW_BOUNDS, + SHARE_ENCRYPTION_R1_UP_BOUNDS, + SHARE_ENCRYPTION_R2_BOUNDS, + SHARE_ENCRYPTION_P1_BOUNDS, + SHARE_ENCRYPTION_P2_BOUNDS, + SHARE_ENCRYPTION_MSG_BOUND, +); + +/************************************ +------------------------------------- +share_decryption_sk (CIRCUIT 4a) +------------------------------------- +************************************/ + +// share_decryption_sk - bit parameters +pub global SHARE_DECRYPTION_BIT_MSG_SK: u32 = 37; + +/************************************ +------------------------------------- +share_decryption_e_sm (CIRCUIT 4b) +------------------------------------- +************************************/ + +// share_decryption_e_sm - bit parameters +pub global SHARE_DECRYPTION_BIT_MSG_E_SM: u32 = 37; diff --git a/circuits/lib/src/configs/insecure/mod.nr b/circuits/lib/src/configs/insecure/mod.nr index 2d2beb97b1..7f7f3382b1 100644 --- a/circuits/lib/src/configs/insecure/mod.nr +++ b/circuits/lib/src/configs/insecure/mod.nr @@ -4,5 +4,5 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -pub mod bfv; -pub mod trbfv; +pub mod dkg; +pub mod threshold; diff --git a/circuits/lib/src/configs/insecure/threshold.nr b/circuits/lib/src/configs/insecure/threshold.nr new file mode 100644 index 0000000000..cbbaeb5c22 --- /dev/null +++ b/circuits/lib/src/configs/insecure/threshold.nr @@ -0,0 +1,149 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use crate::core::threshold::decrypted_shares_aggregation::Configs as DecryptedSharesAggregationConfigs; +use crate::core::threshold::pk_aggregation::Configs as PkAggregationConfigs; +use crate::core::threshold::pk_generation::Configs as PkGenerationConfigs; +use crate::core::threshold::share_decryption::Configs as ShareDecryptionConfigs; +use crate::core::threshold::user_data_encryption::Configs as UserDataEncryptionConfigs; + +// Global configs for threshold insecure preset +pub global N: u32 = 512; +pub global L: u32 = 2; +pub global PLAINTEXT_MODULUS: Field = 10; +pub global QIS: [Field; L] = [68719403009, 68719230977]; +pub global Q_MOD_T_MOD_P: Field = 3; +pub global Q_MOD_T: Field = 3; +pub global Q_INVERSE_MOD_T: Field = 7; +pub global T_INV_MOD_Q: Field = 1416703358393105942938; + +/************************************ +------------------------------------- +pk_generation (CIRCUIT 1) +------------------------------------- +************************************/ + +// pk_generation - bit parameters +pub global PK_GENERATION_BIT_EEK: u32 = 6; +pub global PK_GENERATION_BIT_SK: u32 = 2; +pub global PK_GENERATION_BIT_E_SM: u32 = 18; +pub global PK_GENERATION_BIT_R1: u32 = 14; +pub global PK_GENERATION_BIT_R2: u32 = 36; +pub global PK_GENERATION_BIT_PK: u32 = 36; + +// pk_generation - bounds +pub global PK_GENERATION_EEK_BOUND: Field = 20; +pub global PK_GENERATION_SK_BOUND: Field = 1; +pub global PK_GENERATION_E_SM_BOUND: Field = 122892; +pub global PK_GENERATION_R1_BOUNDS: [Field; L] = [5120, 5120]; +pub global PK_GENERATION_R2_BOUNDS: [Field; L] = [34359701504, 34359615488]; + +// pk_generation - configs +pub global PK_GENERATION_CONFIGS: PkGenerationConfigs = PkGenerationConfigs::new( + QIS, + PK_GENERATION_EEK_BOUND, + PK_GENERATION_SK_BOUND, + PK_GENERATION_E_SM_BOUND, + PK_GENERATION_R1_BOUNDS, + PK_GENERATION_R2_BOUNDS, +); + +/************************************ +------------------------------------- +pk_aggregation (CIRCUIT 5) +------------------------------------- +************************************/ + +// pk_aggregation - bit parameters +pub global PK_AGGREGATION_BIT_PK: u32 = 36; + +// pk_aggregation - configs +pub global PK_AGGREGATION_CONFIGS: PkAggregationConfigs = PkAggregationConfigs::new(QIS); + +/************************************ +------------------------------------- +user_data_encryption (CIRCUIT 6) +------------------------------------- +************************************/ + +// user_data_encryption - bit parameters +pub global USER_DATA_ENCRYPTION_BIT_PK: u32 = 36; +pub global USER_DATA_ENCRYPTION_BIT_CT: u32 = 36; +pub global USER_DATA_ENCRYPTION_BIT_U: u32 = 2; +pub global USER_DATA_ENCRYPTION_BIT_E0: u32 = 6; +pub global USER_DATA_ENCRYPTION_BIT_E1: u32 = 6; +pub global USER_DATA_ENCRYPTION_BIT_K: u32 = 4; +pub global USER_DATA_ENCRYPTION_BIT_R1: u32 = 10; +pub global USER_DATA_ENCRYPTION_BIT_R2: u32 = 36; +pub global USER_DATA_ENCRYPTION_BIT_P1: u32 = 10; +pub global USER_DATA_ENCRYPTION_BIT_P2: u32 = 36; + +// user_data_encryption - bounds +pub global USER_DATA_ENCRYPTION_K0IS: [Field; L] = [61847462708, 20615769293]; +pub global USER_DATA_ENCRYPTION_PK_BOUNDS: [Field; L] = [34359701504, 34359615488]; +pub global USER_DATA_ENCRYPTION_E0_BOUND: Field = 20; +pub global USER_DATA_ENCRYPTION_E1_BOUND: Field = 20; +pub global USER_DATA_ENCRYPTION_U_BOUND: Field = 1; +pub global USER_DATA_ENCRYPTION_K1_LOW_BOUND: Field = 5; +pub global USER_DATA_ENCRYPTION_K1_UP_BOUND: Field = 4; +pub global USER_DATA_ENCRYPTION_R1_LOW_BOUNDS: [Field; L] = [261, 258]; +pub global USER_DATA_ENCRYPTION_R1_UP_BOUNDS: [Field; L] = [260, 258]; +pub global USER_DATA_ENCRYPTION_R2_BOUNDS: [Field; L] = [34359701504, 34359615488]; +pub global USER_DATA_ENCRYPTION_P1_BOUNDS: [Field; L] = [256, 256]; +pub global USER_DATA_ENCRYPTION_P2_BOUNDS: [Field; L] = [34359701504, 34359615488]; + +// greco - configs +pub global USER_DATA_ENCRYPTION_CONFIGS: UserDataEncryptionConfigs = UserDataEncryptionConfigs::new( + Q_MOD_T, + QIS, + USER_DATA_ENCRYPTION_K0IS, + USER_DATA_ENCRYPTION_PK_BOUNDS, + USER_DATA_ENCRYPTION_E0_BOUND, + USER_DATA_ENCRYPTION_E1_BOUND, + USER_DATA_ENCRYPTION_U_BOUND, + USER_DATA_ENCRYPTION_R1_LOW_BOUNDS, + USER_DATA_ENCRYPTION_R1_UP_BOUNDS, + USER_DATA_ENCRYPTION_R2_BOUNDS, + USER_DATA_ENCRYPTION_P1_BOUNDS, + USER_DATA_ENCRYPTION_P2_BOUNDS, + USER_DATA_ENCRYPTION_K1_LOW_BOUND, + USER_DATA_ENCRYPTION_K1_UP_BOUND, +); + +/************************************ +------------------------------------- +share_decryption (GRECO) +------------------------------------- +************************************/ + +// share_decryption - bit parameters +pub global SHARE_DECRYPTION_BIT_CT: u32 = 36; +pub global SHARE_DECRYPTION_BIT_SK: u32 = 36; +pub global SHARE_DECRYPTION_BIT_E_SM: u32 = 36; +pub global SHARE_DECRYPTION_BIT_R1: u32 = 44; +pub global SHARE_DECRYPTION_BIT_R2: u32 = 36; +pub global SHARE_DECRYPTION_BIT_D: u32 = 36; + +// share_decryption - bounds +pub global SHARE_DECRYPTION_R1_BOUNDS: [Field; L] = [8796083584897, 8796061564801]; +pub global SHARE_DECRYPTION_R2_BOUNDS: [Field; L] = [34359701504, 34359615488]; + +// share_decryption - configs +pub global SHARE_DECRYPTION_CONFIGS: ShareDecryptionConfigs = + ShareDecryptionConfigs::new(QIS, SHARE_DECRYPTION_R1_BOUNDS, SHARE_DECRYPTION_R2_BOUNDS); + +/************************************ +------------------------------------- +decrypted_shares_aggregation (CIRCUIT 7) +------------------------------------- +************************************/ + +// decrypted_shares_aggregation - bit parameters +pub global DECRYPTED_SHARES_AGGREGATION_BIT_NOISE: u32 = 69; + +// decrypted_shares_aggregation - configs +pub global DECRYPTED_SHARES_AGGREGATION_CONFIGS: DecryptedSharesAggregationConfigs = + DecryptedSharesAggregationConfigs::new(QIS, PLAINTEXT_MODULUS, Q_INVERSE_MOD_T); diff --git a/circuits/lib/src/configs/insecure/trbfv.nr b/circuits/lib/src/configs/insecure/trbfv.nr deleted file mode 100644 index f7d86c37d0..0000000000 --- a/circuits/lib/src/configs/insecure/trbfv.nr +++ /dev/null @@ -1,176 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use crate::core::greco::Configs as GrecoConfigs; -use crate::core::trbfv_dec_share::Configs as DecShareTrBfvConfigs; -use crate::core::trbfv_dec_shares_agg::Configs as DecShareAggTrBfvConfigs; -use crate::core::trbfv_pk::Configs as TrbfvPkConfigs; -use crate::core::trbfv_pk_agg::Configs as PkAggTrBfvConfigs; -use crate::core::trbfv_verify_shares::Configs as VerifySharesConfigs; - -// Global configs for BFV parameter set -pub global N: u32 = 512; -pub global L: u32 = 2; -pub global PLAINTEXT_MODULUS: Field = 10; -pub global QIS: [Field; L] = [68719403009, 68719230977]; -pub global Q_MOD_T_MOD_P: Field = 3; -pub global Q_MOD_T: Field = 3; -pub global Q_INVERSE_MOD_T: Field = 7; -pub global T_INV_MOD_Q: Field = 1416703358393105942938; - -/************************************ -------------------------------------- -pk_trbfv (CIRCUIT 1 - PUBLIC KEY THRESHOLD BFV) -------------------------------------- -************************************/ - -// pk_trbfv - bit parameters -pub global PK_TRBFV_BIT_EEK: u32 = 6; -pub global PK_TRBFV_BIT_SK: u32 = 2; -pub global PK_TRBFV_BIT_E_SM: u32 = 18; -pub global PK_TRBFV_BIT_R1: u32 = 14; -pub global PK_TRBFV_BIT_R2: u32 = 36; -pub global PK_TRBFV_BIT_PK: u32 = 36; - -// pk_trbfv - bounds -pub global PK_TRBFV_EEK_BOUND: Field = 20; -pub global PK_TRBFV_SK_BOUND: Field = 1; -pub global PK_TRBFV_E_SM_BOUND: Field = 122892; -pub global PK_TRBFV_R1_BOUNDS: [Field; L] = [5120, 5120]; -pub global PK_TRBFV_R2_BOUNDS: [Field; L] = [34359701504, 34359615488]; - -// pk_trbfv - configs -pub global PK_TRBFV_CONFIGS: TrbfvPkConfigs = TrbfvPkConfigs::new( - QIS, - PK_TRBFV_EEK_BOUND, - PK_TRBFV_SK_BOUND, - PK_TRBFV_E_SM_BOUND, - PK_TRBFV_R1_BOUNDS, - PK_TRBFV_R2_BOUNDS, -); - -/************************************ -------------------------------------- -verify_shares (CIRCUIT 2a - VERIFY SHARES SK) -------------------------------------- -************************************/ - -// verify_shares - bit parameters -pub global VERIFY_SHARES_BIT_SHARE: u32 = 37; -pub global VERIFY_SHARES_BIT_SECRET_SK: u32 = 2; - -// verify_shares - configs -pub global VERIFY_SHARES_CONFIGS_SK: VerifySharesConfigs = VerifySharesConfigs::new(QIS); - -/************************************ -------------------------------------- -verify_shares (CIRCUIT 2b - VERIFY SHARES E_SM) -------------------------------------- -************************************/ - -// verify_shares - bit parameters -pub global VERIFY_SHARES_BIT_SECRET_E_SM: u32 = 18; - -// verify_shares - configs -pub global VERIFY_SHARES_CONFIGS_E_SM: VerifySharesConfigs = VerifySharesConfigs::new(QIS); - -/************************************ -------------------------------------- -pk_agg_trbfv (CIRCUIT 5 - PUBLIC KEY AGGREGATION TRBFV) -------------------------------------- -************************************/ - -// pk_agg_trbfv - bit parameters -pub global PK_AGG_TRBFV_BIT_PK: u32 = 36; - -// pk_agg_trbfv - configs -pub global PK_AGG_TRBFV_CONFIGS: PkAggTrBfvConfigs = PkAggTrBfvConfigs::new(QIS); - -/************************************ -------------------------------------- -greco (USED FOR ENCRYPTION TRBFV x PVSS) -------------------------------------- -************************************/ - -// greco - bit parameters -pub global GRECO_BIT_PK: u32 = 36; -pub global GRECO_BIT_CT: u32 = 36; -pub global GRECO_BIT_U: u32 = 2; -pub global GRECO_BIT_E0: u32 = 6; -pub global GRECO_BIT_E1: u32 = 6; -pub global GRECO_BIT_K: u32 = 4; -pub global GRECO_BIT_R1: u32 = 10; -pub global GRECO_BIT_R2: u32 = 36; -pub global GRECO_BIT_P1: u32 = 10; -pub global GRECO_BIT_P2: u32 = 36; - -// greco - bounds -pub global GRECO_Q_MOD_T: Field = 3; -pub global GRECO_K0IS: [Field; L] = [61847462708, 20615769293]; -pub global GRECO_PK_BOUNDS: [Field; L] = [34359701504, 34359615488]; -pub global GRECO_E0_BOUND: Field = 20; -pub global GRECO_E1_BOUND: Field = 20; -pub global GRECO_U_BOUND: Field = 1; -pub global GRECO_K1_LOW_BOUND: Field = 5; -pub global GRECO_K1_UP_BOUND: Field = 4; -pub global GRECO_R1_LOW_BOUNDS: [Field; L] = [261, 258]; -pub global GRECO_R1_UP_BOUNDS: [Field; L] = [260, 258]; -pub global GRECO_R2_BOUNDS: [Field; L] = [34359701504, 34359615488]; -pub global GRECO_P1_BOUNDS: [Field; L] = [256, 256]; -pub global GRECO_P2_BOUNDS: [Field; L] = [34359701504, 34359615488]; - -// greco - configs -pub global GRECO_CONFIGS: GrecoConfigs = GrecoConfigs::new( - GRECO_Q_MOD_T, - QIS, - GRECO_K0IS, - GRECO_PK_BOUNDS, - GRECO_E0_BOUND, - GRECO_E1_BOUND, - GRECO_U_BOUND, - GRECO_R1_LOW_BOUNDS, - GRECO_R1_UP_BOUNDS, - GRECO_R2_BOUNDS, - GRECO_P1_BOUNDS, - GRECO_P2_BOUNDS, - GRECO_K1_LOW_BOUND, - GRECO_K1_UP_BOUND, -); - -/************************************ -------------------------------------- -dec_share_trbfv (CIRCUIT 6 - DECRYPTION SHARE TRBFV) -------------------------------------- -************************************/ - -// dec_share_trbfv - bit parameters -pub global DEC_SHARES_BIT_CT: u32 = 36; -pub global DEC_SHARES_BIT_S: u32 = 36; -pub global DEC_SHARES_BIT_E: u32 = 36; -pub global DEC_SHARES_BIT_R1: u32 = 44; -pub global DEC_SHARES_BIT_R2: u32 = 36; -pub global DEC_SHARES_BIT_D: u32 = 36; - -// dec_share_trbfv - bounds -pub global DEC_SHARES_R1_BOUNDS: [Field; L] = [8796083584897, 8796061564801]; -pub global DEC_SHARES_R2_BOUNDS: [Field; L] = [34359701504, 34359615488]; - -// dec_share_trbfv - configs -pub global DEC_SHARES_CONFIGS: DecShareTrBfvConfigs = - DecShareTrBfvConfigs::new(QIS, DEC_SHARES_R1_BOUNDS, DEC_SHARES_R2_BOUNDS); - -/************************************ -------------------------------------- -dec_shares_agg_trbfv (CIRCUIT 7 - DECRYPTION SHARE AGGREGATION TRBFV) -------------------------------------- -************************************/ - -// dec_shares_agg_trbfv - bit parameters -pub global DEC_SHARES_AGG_BIT_NOISE: u32 = 69; - -// dec_shares_agg_trbfv - configs -pub global DEC_SHARES_AGG_CONFIGS: DecShareAggTrBfvConfigs = - DecShareAggTrBfvConfigs::new(QIS, PLAINTEXT_MODULUS, Q_INVERSE_MOD_T); diff --git a/circuits/lib/src/configs/mod.nr b/circuits/lib/src/configs/mod.nr index 186fa2a8ac..46f0ff1d5e 100644 --- a/circuits/lib/src/configs/mod.nr +++ b/circuits/lib/src/configs/mod.nr @@ -4,5 +4,7 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. +pub mod default; +pub mod committee; pub mod insecure; -pub mod production; +pub mod secure; diff --git a/circuits/lib/src/configs/production/bfv.nr b/circuits/lib/src/configs/production/bfv.nr deleted file mode 100644 index 5f541fc32f..0000000000 --- a/circuits/lib/src/configs/production/bfv.nr +++ /dev/null @@ -1,123 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use crate::core::bfv_enc::Configs as BfvEncConfigs; - -// Global configs for BFV parameter set -pub global N: u32 = 8192; -pub global L_TRBFV: u32 = 4; -pub global L_PRIME: u32 = 2; -pub global L: u32 = 2; -pub global QIS: [Field; L] = [72057594082099201, 72057594062438401]; -pub global TRBFV_QIS: [Field; L_TRBFV] = - [2251799822204929, 4503599627763713, 4503599631433729, 4503599634579457]; -pub global Q_MOD_T: Field = 1082658244788225; -pub global PLAINTEXT_MODULUS: Field = 18014398509481984; -pub global Q_INVERSE_MOD_T: Field = 3634521516277761; -pub global T_INVERSE_MOD_Q: Field = 4144717358717138174408418870545186; - -/************************************ -------------------------------------- -pk_bfv (CIRCUIT 0 - PUBLIC KEY BFV) -------------------------------------- -************************************/ - -// pk_bfv - bit parameters - -pub global PK_BFV_BIT_PK: u32 = 58; - -/************************************ -------------------------------------- -enc_bfv (CIRCUIT 3a - BFV ENCRYPTION SK) -------------------------------------- -************************************/ - -// enc_bfv - bit parameters -pub global ENC_BFV_BIT_PK: u32 = 57; -pub global ENC_BFV_BIT_CT: u32 = 57; -pub global ENC_BFV_BIT_U: u32 = 2; -pub global ENC_BFV_BIT_E0: u32 = 6; -pub global ENC_BFV_BIT_E1: u32 = 6; -pub global ENC_BFV_BIT_MSG: u32 = 55; -pub global ENC_BFV_BIT_R1: u32 = 54; -pub global ENC_BFV_BIT_R2: u32 = 57; -pub global ENC_BFV_BIT_P1: u32 = 14; -pub global ENC_BFV_BIT_P2: u32 = 57; - -// enc_bfv - bounds -pub global ENC_BFV_T: Field = 18014398509481984; -pub global ENC_BFV_Q_MOD_T: Field = 1082658244788225; -pub global ENC_BFV_K0IS: [Field; L] = [70854796903366627, 47439047573780733]; -pub global ENC_BFV_PK_BOUNDS: [Field; L] = [36028797041049600, 36028797031219200]; -pub global ENC_BFV_E0_BOUND: Field = 20; -pub global ENC_BFV_E1_BOUND: Field = 20; -pub global ENC_BFV_U_BOUND: Field = 1; -pub global ENC_BFV_R1_LOW_BOUNDS: [Field; L] = [8856849607495681, 5929880944709633]; -pub global ENC_BFV_R1_UP_BOUNDS: [Field; L] = [8856849607495680, 5929880944709632]; -pub global ENC_BFV_R2_BOUNDS: [Field; L] = [36028797041049600, 36028797031219200]; -pub global ENC_BFV_P1_BOUNDS: [Field; L] = [4096, 4096]; -pub global ENC_BFV_P2_BOUNDS: [Field; L] = [36028797041049600, 36028797031219200]; -pub global ENC_BFV_MSG_BOUND: Field = 18014398509481983; - -// enc_bfv - configs -pub global ENC_BFV_CONFIGS_SK: BfvEncConfigs = BfvEncConfigs::new( - ENC_BFV_T, - ENC_BFV_Q_MOD_T, - QIS, - ENC_BFV_K0IS, - ENC_BFV_PK_BOUNDS, - ENC_BFV_E0_BOUND, - ENC_BFV_E1_BOUND, - ENC_BFV_U_BOUND, - ENC_BFV_R1_LOW_BOUNDS, - ENC_BFV_R1_UP_BOUNDS, - ENC_BFV_R2_BOUNDS, - ENC_BFV_P1_BOUNDS, - ENC_BFV_P2_BOUNDS, - ENC_BFV_MSG_BOUND, -); - -/************************************ -------------------------------------- -enc_bfv (CIRCUIT 3b - BFV ENCRYPTION E_SM) -------------------------------------- -************************************/ - -// enc_bfv E_SM uses the same bit parameters and bounds as SK -pub global ENC_BFV_CONFIGS_E_SM: BfvEncConfigs = BfvEncConfigs::new( - ENC_BFV_T, - ENC_BFV_Q_MOD_T, - QIS, - ENC_BFV_K0IS, - ENC_BFV_PK_BOUNDS, - ENC_BFV_E0_BOUND, - ENC_BFV_E1_BOUND, - ENC_BFV_U_BOUND, - ENC_BFV_R1_LOW_BOUNDS, - ENC_BFV_R1_UP_BOUNDS, - ENC_BFV_R2_BOUNDS, - ENC_BFV_P1_BOUNDS, - ENC_BFV_P2_BOUNDS, - ENC_BFV_MSG_BOUND, -); - -/************************************ -------------------------------------- -dec_bfv (CIRCUIT 4a - BFV DECRYPTION SK) -------------------------------------- -************************************/ - -// dec_bfv - bit parameters -pub global DEC_BFV_BIT_MSG_SK: u32 = 56; - -/************************************ -------------------------------------- -dec_bfv (CIRCUIT 4b - BFV DECRYPTION E_SM) -------------------------------------- -************************************/ - -// dec_bfv - bit parameters -pub global DEC_BFV_BIT_MSG_E_SM: u32 = 56; diff --git a/circuits/lib/src/configs/production/trbfv.nr b/circuits/lib/src/configs/production/trbfv.nr deleted file mode 100644 index 4899a9caea..0000000000 --- a/circuits/lib/src/configs/production/trbfv.nr +++ /dev/null @@ -1,186 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use crate::core::greco::Configs as GrecoConfigs; -use crate::core::trbfv_dec_share::Configs as DecShareTrBfvConfigs; -use crate::core::trbfv_dec_shares_agg::Configs as DecShareAggTrBfvConfigs; -use crate::core::trbfv_pk::Configs as TrbfvPkConfigs; -use crate::core::trbfv_pk_agg::Configs as PkAggTrBfvConfigs; -use crate::core::trbfv_verify_shares::Configs as VerifySharesConfigs; - -// Global configs for BFV parameter set -pub global N: u32 = 8192; -pub global L: u32 = 4; -pub global PLAINTEXT_MODULUS: Field = 100; -pub global QIS: [Field; L] = - [2251799822204929, 4503599627763713, 4503599631433729, 4503599634579457]; -pub global Q_MOD_T_MOD_P: Field = - 21888242871839275222246405745257275088548364400416034343698204186575808495598; -pub global Q_MOD_T: Field = 81; -pub global Q_INVERSE_MOD_T: Field = 21; -pub global T_INV_MOD_Q: Field = 162493576071160894262400971579825215135378801169890023914222388; - -/************************************ -------------------------------------- -pk_trbfv (CIRCUIT 1 - PUBLIC KEY THRESHOLD BFV) -------------------------------------- -************************************/ - -// pk_trbfv - bit parameters -pub global PK_TRBFV_BIT_EEK: u32 = 6; -pub global PK_TRBFV_BIT_SK: u32 = 2; -pub global PK_TRBFV_BIT_E_SM: u32 = 187; -pub global PK_TRBFV_BIT_R1: u32 = 18; -pub global PK_TRBFV_BIT_R2: u32 = 53; -pub global PK_TRBFV_BIT_PK: u32 = 53; - -// pk_trbfv - bounds -pub global PK_TRBFV_EEK_BOUND: Field = 20; -pub global PK_TRBFV_SK_BOUND: Field = 1; -pub global PK_TRBFV_E_SM_BOUND: Field = 66359003478811654788063765182202739927396573769378037760; -pub global PK_TRBFV_R1_BOUNDS: [Field; L] = [81920, 81920, 81920, 81920]; -pub global PK_TRBFV_R2_BOUNDS: [Field; L] = - [1125899911102464, 2251799813881856, 2251799815716864, 2251799817289728]; - -// pk_trbfv - configs -pub global PK_TRBFV_CONFIGS: TrbfvPkConfigs = TrbfvPkConfigs::new( - QIS, - PK_TRBFV_EEK_BOUND, - PK_TRBFV_SK_BOUND, - PK_TRBFV_E_SM_BOUND, - PK_TRBFV_R1_BOUNDS, - PK_TRBFV_R2_BOUNDS, -); - -/************************************ -------------------------------------- -verify_shares (CIRCUIT 2a - VERIFY SHARES SK) -------------------------------------- -************************************/ - -// verify_shares - bit parameters -pub global VERIFY_SHARES_BIT_SHARE: u32 = 54; -pub global VERIFY_SHARES_BIT_SECRET_SK: u32 = 2; - -// verify_shares - configs -pub global VERIFY_SHARES_CONFIGS_SK: VerifySharesConfigs = VerifySharesConfigs::new(QIS); - -/************************************ -------------------------------------- -verify_shares (CIRCUIT 2b - VERIFY SHARES E_SM) -------------------------------------- -************************************/ - -// verify_shares - bit parameters -pub global VERIFY_SHARES_BIT_SECRET_E_SM: u32 = 187; - -// verify_shares - configs -pub global VERIFY_SHARES_CONFIGS_E_SM: VerifySharesConfigs = VerifySharesConfigs::new(QIS); - -/************************************ -------------------------------------- -pk_agg_trbfv (CIRCUIT 5 - PUBLIC KEY AGGREGATION TRBFV) -------------------------------------- -************************************/ - -// pk_agg_trbfv - bit parameters -pub global PK_AGG_TRBFV_BIT_PK: u32 = 53; - -// pk_agg_trbfv - configs -pub global PK_AGG_TRBFV_CONFIGS: PkAggTrBfvConfigs = PkAggTrBfvConfigs::new(QIS); - -/************************************ -------------------------------------- -greco (USED FOR ENCRYPTION TRBFV x PVSS) -------------------------------------- -************************************/ - -// greco - bit parameters -pub global GRECO_BIT_PK: u32 = 52; -pub global GRECO_BIT_CT: u32 = 52; -pub global GRECO_BIT_U: u32 = 2; -pub global GRECO_BIT_E0: u32 = 107; -pub global GRECO_BIT_E1: u32 = 6; -pub global GRECO_BIT_K: u32 = 7; -pub global GRECO_BIT_R1: u32 = 14; -pub global GRECO_BIT_R2: u32 = 53; -pub global GRECO_BIT_P1: u32 = 14; -pub global GRECO_BIT_P2: u32 = 53; - -// greco - bounds -pub global GRECO_Q_MOD_T: Field = - 21888242871839275222246405745257275088548364400416034343698204186575808495598; -pub global GRECO_K0IS: [Field; L] = - [1553741877321401, 3467771713378059, 3107483745689273, 4188347660158895]; -pub global GRECO_PK_BOUNDS: [Field; L] = - [1125899911102464, 2251799813881856, 2251799815716864, 2251799817289728]; -pub global GRECO_E0_BOUND: Field = 54890881146011919040994244755389; -pub global GRECO_E1_BOUND: Field = 20; -pub global GRECO_U_BOUND: Field = 1; -pub global GRECO_K1_LOW_BOUND: Field = 50; -pub global GRECO_K1_UP_BOUND: Field = 49; -pub global GRECO_R1_LOW_BOUNDS: [Field; L] = [4132, 4136, 4131, 4143]; -pub global GRECO_R1_UP_BOUNDS: [Field; L] = [4131, 4135, 4131, 4142]; -pub global GRECO_R2_BOUNDS: [Field; L] = - [1125899911102464, 2251799813881856, 2251799815716864, 2251799817289728]; -pub global GRECO_P1_BOUNDS: [Field; L] = [4096, 4096, 4096, 4096]; -pub global GRECO_P2_BOUNDS: [Field; L] = - [1125899911102464, 2251799813881856, 2251799815716864, 2251799817289728]; - -// greco - configs -pub global GRECO_CONFIGS: GrecoConfigs = GrecoConfigs::new( - GRECO_Q_MOD_T, - QIS, - GRECO_K0IS, - GRECO_PK_BOUNDS, - GRECO_E0_BOUND, - GRECO_E1_BOUND, - GRECO_U_BOUND, - GRECO_R1_LOW_BOUNDS, - GRECO_R1_UP_BOUNDS, - GRECO_R2_BOUNDS, - GRECO_P1_BOUNDS, - GRECO_P2_BOUNDS, - GRECO_K1_LOW_BOUND, - GRECO_K1_UP_BOUND, -); - -/************************************ -------------------------------------- -dec_share_trbfv (CIRCUIT 6 - DECRYPTION SHARE TRBFV) -------------------------------------- -************************************/ - -// dec_share_trbfv - bit parameters -pub global DEC_SHARES_BIT_CT: u32 = 53; -pub global DEC_SHARES_BIT_S: u32 = 53; -pub global DEC_SHARES_BIT_E: u32 = 53; -pub global DEC_SHARES_BIT_R1: u32 = 65; -pub global DEC_SHARES_BIT_R2: u32 = 53; -pub global DEC_SHARES_BIT_D: u32 = 53; - -// dec_share_trbfv - bounds -pub global DEC_SHARES_R1_BOUNDS: [Field; L] = - [4611686035875690497, 9223372037660080129, 9223372045176272897, 9223372051618723841]; -pub global DEC_SHARES_R2_BOUNDS: [Field; L] = - [1125899911102464, 2251799813881856, 2251799815716864, 2251799817289728]; - -// dec_share_trbfv - configs -pub global DEC_SHARES_CONFIGS: DecShareTrBfvConfigs = - DecShareTrBfvConfigs::new(QIS, DEC_SHARES_R1_BOUNDS, DEC_SHARES_R2_BOUNDS); - -/************************************ -------------------------------------- -dec_shares_agg_trbfv (CIRCUIT 7 - DECRYPTION SHARE AGGREGATION TRBFV) -------------------------------------- -************************************/ - -// dec_shares_agg_trbfv - bit parameters -pub global DEC_SHARES_AGG_BIT_NOISE: u32 = 201; - -// dec_shares_agg_trbfv - configs -pub global DEC_SHARES_AGG_CONFIGS: DecShareAggTrBfvConfigs = - DecShareAggTrBfvConfigs::new(QIS, PLAINTEXT_MODULUS, Q_INVERSE_MOD_T); diff --git a/circuits/lib/src/configs/secure/dkg.nr b/circuits/lib/src/configs/secure/dkg.nr new file mode 100644 index 0000000000..b92c731f59 --- /dev/null +++ b/circuits/lib/src/configs/secure/dkg.nr @@ -0,0 +1,174 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use crate::configs::default::{N_PARTIES, T}; +pub use crate::configs::secure::threshold::{L as L_THRESHOLD, QIS as QIS_THRESHOLD}; +use crate::core::dkg::share_computation::Configs as ShareComputationConfigs; +use crate::core::dkg::share_encryption::Configs as ShareEncryptionConfigs; + +// Global configs for DKG secure preset +pub global N: u32 = 8192; +pub global L: u32 = 2; +pub global PLAINTEXT_MODULUS: Field = 18014398509481984; +pub global QIS: [Field; L] = [72057594082099201, 72057594062438401]; +pub global Q_MOD_T: Field = 1082658244788225; +pub global Q_INVERSE_MOD_T: Field = 3634521516277761; +pub global T_INVERSE_MOD_Q: Field = 4144717358717138174408418870545186; + +/************************************ +------------------------------------- +pk (CIRCUIT 0) +------------------------------------- +************************************/ + +// pk - bit parameters + +pub global PK_BIT_PK: u32 = 58; + +/// Parity check matrix for each modulus. +/// PARITY_MATRIX[modulus_idx][row][col] where size is [L][N_PARTIES-T][N_PARTIES+1] +pub global PARITY_MATRIX: [[[Field; N_PARTIES + 1]; N_PARTIES - T]; L_THRESHOLD] = [ + [ + [2251799822204928, 3, 2251799822204926, 1, 0, 0], + [2251799822204926, 8, 2251799822204923, 0, 1, 0], + [2251799822204923, 15, 2251799822204919, 0, 0, 1], + ], + [ + [4503599627763712, 3, 4503599627763710, 1, 0, 0], + [4503599627763710, 8, 4503599627763707, 0, 1, 0], + [4503599627763707, 15, 4503599627763703, 0, 0, 1], + ], + [ + [4503599631433728, 3, 4503599631433726, 1, 0, 0], + [4503599631433726, 8, 4503599631433723, 0, 1, 0], + [4503599631433723, 15, 4503599631433719, 0, 0, 1], + ], + [ + [4503599634579456, 3, 4503599634579454, 1, 0, 0], + [4503599634579454, 8, 4503599634579451, 0, 1, 0], + [4503599634579451, 15, 4503599634579447, 0, 0, 1], + ], +]; + +/************************************ +------------------------------------- +share_computation_sk (CIRCUIT 2a) +------------------------------------- +************************************/ + +// share_computation_sk - bit parameters +pub global SHARE_COMPUTATION_SK_BIT_SHARE: u32 = 54; +pub global SHARE_COMPUTATION_SK_BIT_SECRET_SK: u32 = 2; + +// share_computation_sk - configs +pub global SHARE_COMPUTATION_SK_CONFIGS: ShareComputationConfigs = + ShareComputationConfigs::new(QIS_THRESHOLD); + +/************************************ +------------------------------------- +share_computation_e_sm (CIRCUIT 2b) +------------------------------------- +************************************/ + +// share_computation_e_sm - bit parameters +pub global SHARE_COMPUTATION_E_SM_BIT_E_SM: u32 = 187; + +// share_computation_e_sm - configs +pub global SHARE_COMPUTATION_E_SM_CONFIGS: ShareComputationConfigs = + ShareComputationConfigs::new(QIS_THRESHOLD); + +/************************************ +------------------------------------- +share_encryption_sk (CIRCUIT 3a) +------------------------------------- +************************************/ + +// share_encryption_sk - bit parameters +pub global SHARE_ENCRYPTION_BIT_PK: u32 = 57; +pub global SHARE_ENCRYPTION_BIT_CT: u32 = 57; +pub global SHARE_ENCRYPTION_BIT_U: u32 = 2; +pub global SHARE_ENCRYPTION_BIT_E0: u32 = 6; +pub global SHARE_ENCRYPTION_BIT_E1: u32 = 6; +pub global SHARE_ENCRYPTION_BIT_MSG: u32 = 55; +pub global SHARE_ENCRYPTION_BIT_R1: u32 = 54; +pub global SHARE_ENCRYPTION_BIT_R2: u32 = 57; +pub global SHARE_ENCRYPTION_BIT_P1: u32 = 14; +pub global SHARE_ENCRYPTION_BIT_P2: u32 = 57; + +// share_encryption_sk - bounds +pub global SHARE_ENCRYPTION_T: Field = 18014398509481984; +pub global SHARE_ENCRYPTION_Q_MOD_T: Field = 1082658244788225; +pub global SHARE_ENCRYPTION_K0IS: [Field; L] = [70854796903366627, 47439047573780733]; +pub global SHARE_ENCRYPTION_PK_BOUNDS: [Field; L] = [36028797041049600, 36028797031219200]; +pub global SHARE_ENCRYPTION_E0_BOUND: Field = 20; +pub global SHARE_ENCRYPTION_E1_BOUND: Field = 20; +pub global SHARE_ENCRYPTION_U_BOUND: Field = 1; +pub global SHARE_ENCRYPTION_R1_LOW_BOUNDS: [Field; L] = [8856849607495681, 5929880944709633]; +pub global SHARE_ENCRYPTION_R1_UP_BOUNDS: [Field; L] = [8856849607495680, 5929880944709632]; +pub global SHARE_ENCRYPTION_R2_BOUNDS: [Field; L] = [36028797041049600, 36028797031219200]; +pub global SHARE_ENCRYPTION_P1_BOUNDS: [Field; L] = [4096, 4096]; +pub global SHARE_ENCRYPTION_P2_BOUNDS: [Field; L] = [36028797041049600, 36028797031219200]; +pub global SHARE_ENCRYPTION_MSG_BOUND: Field = 18014398509481983; + +// share_encryption_sk - configs +pub global SHARE_ENCRYPTION_CONFIGS_SK: ShareEncryptionConfigs = ShareEncryptionConfigs::new( + SHARE_ENCRYPTION_T, + SHARE_ENCRYPTION_Q_MOD_T, + QIS, + SHARE_ENCRYPTION_K0IS, + SHARE_ENCRYPTION_PK_BOUNDS, + SHARE_ENCRYPTION_E0_BOUND, + SHARE_ENCRYPTION_E1_BOUND, + SHARE_ENCRYPTION_U_BOUND, + SHARE_ENCRYPTION_R1_LOW_BOUNDS, + SHARE_ENCRYPTION_R1_UP_BOUNDS, + SHARE_ENCRYPTION_R2_BOUNDS, + SHARE_ENCRYPTION_P1_BOUNDS, + SHARE_ENCRYPTION_P2_BOUNDS, + SHARE_ENCRYPTION_MSG_BOUND, +); + +/************************************ +------------------------------------- +share_encryption_e_sm (CIRCUIT 3b) +------------------------------------- +************************************/ + +// share_encryption_e_sm uses the same bit parameters and bounds as SK +pub global SHARE_ENCRYPTION_CONFIGS_E_SM: ShareEncryptionConfigs = ShareEncryptionConfigs::new( + SHARE_ENCRYPTION_T, + SHARE_ENCRYPTION_Q_MOD_T, + QIS, + SHARE_ENCRYPTION_K0IS, + SHARE_ENCRYPTION_PK_BOUNDS, + SHARE_ENCRYPTION_E0_BOUND, + SHARE_ENCRYPTION_E1_BOUND, + SHARE_ENCRYPTION_U_BOUND, + SHARE_ENCRYPTION_R1_LOW_BOUNDS, + SHARE_ENCRYPTION_R1_UP_BOUNDS, + SHARE_ENCRYPTION_R2_BOUNDS, + SHARE_ENCRYPTION_P1_BOUNDS, + SHARE_ENCRYPTION_P2_BOUNDS, + SHARE_ENCRYPTION_MSG_BOUND, +); + +/************************************ +------------------------------------- +share_decryption_sk (CIRCUIT 4a) +------------------------------------- +************************************/ + +// share_decryption_sk - bit parameters +pub global SHARE_DECRYPTION_BIT_MSG_SK: u32 = 56; + +/************************************ +------------------------------------- +share_decryption_e_sm (CIRCUIT 4b) +------------------------------------- +************************************/ + +// share_decryption_e_sm - bit parameters +pub global SHARE_DECRYPTION_BIT_MSG_E_SM: u32 = 56; diff --git a/circuits/lib/src/configs/secure/mod.nr b/circuits/lib/src/configs/secure/mod.nr new file mode 100644 index 0000000000..7f7f3382b1 --- /dev/null +++ b/circuits/lib/src/configs/secure/mod.nr @@ -0,0 +1,8 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +pub mod dkg; +pub mod threshold; diff --git a/circuits/lib/src/configs/secure/threshold.nr b/circuits/lib/src/configs/secure/threshold.nr new file mode 100644 index 0000000000..0c6211f82e --- /dev/null +++ b/circuits/lib/src/configs/secure/threshold.nr @@ -0,0 +1,159 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use crate::core::threshold::decrypted_shares_aggregation::Configs as DecryptedSharesAggregationConfigs; +use crate::core::threshold::pk_aggregation::Configs as PkAggregationConfigs; +use crate::core::threshold::pk_generation::Configs as PkGenerationConfigs; +use crate::core::threshold::share_decryption::Configs as ShareDecryptionConfigs; +use crate::core::threshold::user_data_encryption::Configs as UserDataEncryptionConfigs; + +// Global configs for threshold secure preset +pub global N: u32 = 8192; +pub global L: u32 = 4; +pub global PLAINTEXT_MODULUS: Field = 100; +pub global QIS: [Field; L] = + [2251799822204929, 4503599627763713, 4503599631433729, 4503599634579457]; +pub global Q_MOD_T_MOD_P: Field = + 21888242871839275222246405745257275088548364400416034343698204186575808495598; +pub global Q_MOD_T: Field = 81; +pub global Q_INVERSE_MOD_T: Field = 21; +pub global T_INV_MOD_Q: Field = 162493576071160894262400971579825215135378801169890023914222388; + +/************************************ +------------------------------------- +pk_generation (CIRCUIT 1) +------------------------------------- +************************************/ + +// pk_generation - bit parameters +pub global PK_GENERATION_BIT_EEK: u32 = 6; +pub global PK_GENERATION_BIT_SK: u32 = 2; +pub global PK_GENERATION_BIT_E_SM: u32 = 187; +pub global PK_GENERATION_BIT_R1: u32 = 18; +pub global PK_GENERATION_BIT_R2: u32 = 53; +pub global PK_GENERATION_BIT_PK: u32 = 53; + +// pk_generation - bounds +pub global PK_GENERATION_EEK_BOUND: Field = 20; +pub global PK_GENERATION_SK_BOUND: Field = 1; +pub global PK_GENERATION_E_SM_BOUND: Field = + 66359003478811654788063765182202739927396573769378037760; +pub global PK_GENERATION_R1_BOUNDS: [Field; L] = [81920, 81920, 81920, 81920]; +pub global PK_GENERATION_R2_BOUNDS: [Field; L] = + [1125899911102464, 2251799813881856, 2251799815716864, 2251799817289728]; + +// pk_generation - configs +pub global PK_GENERATION_CONFIGS: PkGenerationConfigs = PkGenerationConfigs::new( + QIS, + PK_GENERATION_EEK_BOUND, + PK_GENERATION_SK_BOUND, + PK_GENERATION_E_SM_BOUND, + PK_GENERATION_R1_BOUNDS, + PK_GENERATION_R2_BOUNDS, +); + +/************************************ +------------------------------------- +pk_aggregation (CIRCUIT 5) +------------------------------------- +************************************/ + +// pk_aggregation - bit parameters +pub global PK_AGGREGATION_BIT_PK: u32 = 53; + +// pk_aggregation - configs +pub global PK_AGGREGATION_CONFIGS: PkAggregationConfigs = PkAggregationConfigs::new(QIS); + +/************************************ +------------------------------------- +user_data_encryption (GRECO) +------------------------------------- +************************************/ + +// user_data_encryption - bit parameters +pub global USER_DATA_ENCRYPTION_BIT_PK: u32 = 52; +pub global USER_DATA_ENCRYPTION_BIT_CT: u32 = 52; +pub global USER_DATA_ENCRYPTION_BIT_U: u32 = 2; +pub global USER_DATA_ENCRYPTION_BIT_E0: u32 = 107; +pub global USER_DATA_ENCRYPTION_BIT_E1: u32 = 6; +pub global USER_DATA_ENCRYPTION_BIT_K: u32 = 7; +pub global USER_DATA_ENCRYPTION_BIT_R1: u32 = 14; +pub global USER_DATA_ENCRYPTION_BIT_R2: u32 = 53; +pub global USER_DATA_ENCRYPTION_BIT_P1: u32 = 14; +pub global USER_DATA_ENCRYPTION_BIT_P2: u32 = 53; + +// user_data_encryption - bounds +pub global USER_DATA_ENCRYPTION_K0IS: [Field; L] = + [1553741877321401, 3467771713378059, 3107483745689273, 4188347660158895]; +pub global USER_DATA_ENCRYPTION_PK_BOUNDS: [Field; L] = + [1125899911102464, 2251799813881856, 2251799815716864, 2251799817289728]; +pub global USER_DATA_ENCRYPTION_E0_BOUND: Field = 54890881146011919040994244755389; +pub global USER_DATA_ENCRYPTION_E1_BOUND: Field = 20; +pub global USER_DATA_ENCRYPTION_U_BOUND: Field = 1; +pub global USER_DATA_ENCRYPTION_K1_LOW_BOUND: Field = 50; +pub global USER_DATA_ENCRYPTION_K1_UP_BOUND: Field = 49; +pub global USER_DATA_ENCRYPTION_R1_LOW_BOUNDS: [Field; L] = [4132, 4136, 4131, 4143]; +pub global USER_DATA_ENCRYPTION_R1_UP_BOUNDS: [Field; L] = [4131, 4135, 4131, 4142]; +pub global USER_DATA_ENCRYPTION_R2_BOUNDS: [Field; L] = + [1125899911102464, 2251799813881856, 2251799815716864, 2251799817289728]; +pub global USER_DATA_ENCRYPTION_P1_BOUNDS: [Field; L] = [4096, 4096, 4096, 4096]; +pub global USER_DATA_ENCRYPTION_P2_BOUNDS: [Field; L] = + [1125899911102464, 2251799813881856, 2251799815716864, 2251799817289728]; + +// greco - configs +pub global USER_DATA_ENCRYPTION_CONFIGS: UserDataEncryptionConfigs = UserDataEncryptionConfigs::new( + Q_MOD_T_MOD_P, + QIS, + USER_DATA_ENCRYPTION_K0IS, + USER_DATA_ENCRYPTION_PK_BOUNDS, + USER_DATA_ENCRYPTION_E0_BOUND, + USER_DATA_ENCRYPTION_E1_BOUND, + USER_DATA_ENCRYPTION_U_BOUND, + USER_DATA_ENCRYPTION_R1_LOW_BOUNDS, + USER_DATA_ENCRYPTION_R1_UP_BOUNDS, + USER_DATA_ENCRYPTION_R2_BOUNDS, + USER_DATA_ENCRYPTION_P1_BOUNDS, + USER_DATA_ENCRYPTION_P2_BOUNDS, + USER_DATA_ENCRYPTION_K1_LOW_BOUND, + USER_DATA_ENCRYPTION_K1_UP_BOUND, +); + +/************************************ +------------------------------------- +share_decryption (CIRCUIT 6) +------------------------------------- +************************************/ + +// share_decryption - bit parameters +pub global SHARE_DECRYPTION_BIT_CT: u32 = 53; +pub global SHARE_DECRYPTION_BIT_SK: u32 = 53; +pub global SHARE_DECRYPTION_BIT_E_SM: u32 = 53; +pub global SHARE_DECRYPTION_BIT_R1: u32 = 65; +pub global SHARE_DECRYPTION_BIT_R2: u32 = 53; +pub global SHARE_DECRYPTION_BIT_D: u32 = 53; + +// share_decryption - bounds +pub global SHARE_DECRYPTION_R1_BOUNDS: [Field; L] = + [4611686035875690497, 9223372037660080129, 9223372045176272897, 9223372051618723841]; +pub global SHARE_DECRYPTION_R2_BOUNDS: [Field; L] = + [1125899911102464, 2251799813881856, 2251799815716864, 2251799817289728]; + +// share_decryption - configs +pub global SHARE_DECRYPTION_CONFIGS: ShareDecryptionConfigs = + ShareDecryptionConfigs::new(QIS, SHARE_DECRYPTION_R1_BOUNDS, SHARE_DECRYPTION_R2_BOUNDS); + +/************************************ +------------------------------------- +decrypted_shares_aggregation (CIRCUIT 7) +------------------------------------- +************************************/ + +// decrypted_shares_aggregation - bit parameters +pub global DECRYPTED_SHARES_AGGREGATION_BIT_NOISE: u32 = 201; + +// decrypted_shares_aggregation - configs +pub global DECRYPTED_SHARES_AGGREGATION_CONFIGS: DecryptedSharesAggregationConfigs = + DecryptedSharesAggregationConfigs::new(QIS, PLAINTEXT_MODULUS, Q_INVERSE_MOD_T); diff --git a/circuits/lib/src/core/bfv_pk.nr b/circuits/lib/src/core/bfv_pk.nr deleted file mode 100644 index d4cd09d5db..0000000000 --- a/circuits/lib/src/core/bfv_pk.nr +++ /dev/null @@ -1,32 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use crate::math::commitments::compute_pk_bfv_commitment; -use crate::math::polynomial::Polynomial; - -/// BFV Public Key Commitment Circuit (Circuit 0). -/// -/// commit to the BFV public key for later verification. -/// No validation of pk correctness - that's caught by decryption failures in Circuit 4. -pub struct BfvPkCommit { - /// BFV public key components (public input) - /// pk0[i] is the first component for modulus i - pk0: [Polynomial; L], - /// pk1[i] is the second component for modulus i - pk1: [Polynomial; L], -} - -impl BfvPkCommit { - pub fn new(pk0: [Polynomial; L], pk1: [Polynomial; L]) -> Self { - BfvPkCommit { pk0, pk1 } - } - - /// Main verification function - /// Returns commitment to BFV public key - pub fn verify(self) -> Field { - compute_pk_bfv_commitment::(self.pk0, self.pk1) - } -} diff --git a/circuits/lib/src/core/dkg/mod.nr b/circuits/lib/src/core/dkg/mod.nr new file mode 100644 index 0000000000..c96cff32f0 --- /dev/null +++ b/circuits/lib/src/core/dkg/mod.nr @@ -0,0 +1,10 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +pub mod pk; +pub mod share_computation; +pub mod share_encryption; +pub mod share_decryption; diff --git a/circuits/lib/src/core/dkg/pk.nr b/circuits/lib/src/core/dkg/pk.nr new file mode 100644 index 0000000000..2745b29efd --- /dev/null +++ b/circuits/lib/src/core/dkg/pk.nr @@ -0,0 +1,29 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use crate::math::commitments::compute_dkg_pk_commitment; +use crate::math::polynomial::Polynomial; + +/// Correct DKG Public Key Circuit (Circuit 0). +pub struct Pk { + /// Correct DKG public key components + /// pk0[i] is the first component for modulus i + pk0: [Polynomial; L], + /// pk1[i] is the second component for modulus i + pk1: [Polynomial; L], +} + +impl Pk { + pub fn new(pk0: [Polynomial; L], pk1: [Polynomial; L]) -> Self { + Pk { pk0, pk1 } + } + + /// Main verification function + /// Returns commitment to correct DKG public key + pub fn execute(self) -> Field { + compute_dkg_pk_commitment::(self.pk0, self.pk1) + } +} diff --git a/circuits/lib/src/core/trbfv_verify_shares.nr b/circuits/lib/src/core/dkg/share_computation.nr similarity index 80% rename from circuits/lib/src/core/trbfv_verify_shares.nr rename to circuits/lib/src/core/dkg/share_computation.nr index 7e347e4c9c..d5edcbd253 100644 --- a/circuits/lib/src/core/trbfv_verify_shares.nr +++ b/circuits/lib/src/core/dkg/share_computation.nr @@ -5,13 +5,13 @@ // or FITNESS FOR A PARTICULAR PURPOSE. use crate::math::commitments::{ - compute_secret_e_sm_commitment, compute_secret_sk_commitment, - compute_spm_commitment_from_shares, + compute_share_computation_e_sm_commitment, compute_share_computation_sk_commitment, + compute_share_encryption_commitment_from_shares, }; use crate::math::modulo::U128::ModU128; use crate::math::polynomial::Polynomial; -/// Cryptographic parameters for TRBFV secret share verification circuit. +/// Cryptographic parameters for Threshold secret share verification circuit. pub struct Configs { /// CRT moduli: [q_0, q_1, ..., q_{L-1}] pub qis: [Field; L], @@ -23,16 +23,16 @@ impl Configs { } } -/// TRBFV Secret Share Verification Circuit for secret key (Circuit 2a - VERIFY SHARES SK). +/// Correct Threshold Secret Key Share Computation (Circuit 2a). /// /// Verifies: /// 1. secret commitment: verify secret hashes to expected_secret_commitment -/// 2. secret consistency: y[i][j][0] == secret_sk[i] for all i, j +/// 2. secret consistency: y[i][j][0] == sk_secret[i] for all i, j /// 3. Range check: shares are in [0, q_j) /// 4. Parity check: H[j] * y[i][j]^T == 0 mod q_j for all i, j /// -/// For SK: secret_sk is the trinary coefficients -pub struct VerifySharesSk { +/// For SK: sk_secret is the trinary coefficients +pub struct SecretKeyShareComputation { configs: Configs, /// Expected commitment to secret (from C1) /// (public witness) @@ -40,9 +40,9 @@ pub struct VerifySharesSk /// trinary coefficients /// (secret witness) - secret_sk: Polynomial, + sk_secret: Polynomial, /// Shares: y[coeff_idx][mod_idx][0..N_PARTIES+1] - /// y[i][j][0] = secret_sk[i] = f(0), y[i][j][k] = f(k) for k = 1..N_PARTIES + /// y[i][j][0] = sk_secret[i] = f(0), y[i][j][k] = f(k) for k = 1..N_PARTIES /// (secret witnesses) y: [[[Field; N_PARTIES + 1]; L]; N], /// Parity check matrices: H[mod_idx][row][col] @@ -52,7 +52,7 @@ pub struct VerifySharesSk { +pub struct SmudgingNoiseShareComputation { configs: Configs, /// Expected commitment to secret (from C1) /// This is computed from all L RNS polynomials (matching @@ -69,7 +69,7 @@ pub struct VerifySharesEsm; L] /// For ESM: each modulus has its own polynomial (RNS representation) - secret_e_sm: [Polynomial; L], + e_sm_secret: [Polynomial; L], /// Shares: y[coeff_idx][mod_idx][0..N_PARTIES+1] /// y[i][j][0] = e_sm[j][i] = f(0), y[i][j][k] = f(k) for k = 1..N_PARTIES y: [[[Field; N_PARTIES + 1]; L]; N], @@ -79,19 +79,19 @@ pub struct VerifySharesEsm VerifySharesSk { +impl SecretKeyShareComputation { pub fn new( configs: Configs, expected_secret_commitment: Field, - secret_sk: Polynomial, + sk_secret: Polynomial, y: [[[Field; N_PARTIES + 1]; L]; N], h: [[[Field; N_PARTIES + 1]; N_PARTIES - T]; L], ) -> Self { - VerifySharesSk { configs, expected_secret_commitment, secret_sk, y, h } + SecretKeyShareComputation { configs, expected_secret_commitment, sk_secret, y, h } } /// Main verification function - pub fn verify(self) -> [[Field; L]; N_PARTIES] { + pub fn execute(self) -> [[Field; L]; N_PARTIES] { // Step 1: Verify secret commitment matches expected self.verify_secret_commitment(); @@ -111,27 +111,27 @@ impl(self.secret_sk) + compute_share_computation_sk_commitment::(self.sk_secret) == self.expected_secret_commitment, "SK commitment mismatch", ); } - /// Verifies secret consistency: `y[i][j][0] == secret_sk[i]` for all i, j. + /// Verifies secret consistency: `y[i][j][0] == sk_secret[i]` for all i, j. /// /// This function ensures that for each coefficient i and CRT basis j, the share /// at party ID 0 equals the corresponding secret coefficient for that modulus. /// This is a fundamental property of Shamir secret sharing where the secret is the /// evaluation of the sharing polynomial at point 0. /// - /// secret_sk is the trinary coefficients, so y[i][j][0] is the same for all j. + /// sk_secret is the trinary coefficients, so y[i][j][0] is the same for all j. /// /// # Panics /// The circuit will fail if secret consistency doesn't hold for any /// coefficient or CRT basis. fn verify_secret_consistency(self) { for coeff_idx in 0..N { - let secret_coeff = self.secret_sk.coefficients[coeff_idx]; + let secret_coeff = self.sk_secret.coefficients[coeff_idx]; for mod_idx in 0..L { assert(self.y[coeff_idx][mod_idx][0] == secret_coeff); @@ -140,19 +140,19 @@ impl VerifySharesEsm { +impl SmudgingNoiseShareComputation { pub fn new( configs: Configs, expected_secret_commitment: Field, - secret_e_sm: [Polynomial; L], + e_sm_secret: [Polynomial; L], y: [[[Field; N_PARTIES + 1]; L]; N], h: [[[Field; N_PARTIES + 1]; N_PARTIES - T]; L], ) -> Self { - VerifySharesEsm { configs, expected_secret_commitment, secret_e_sm, y, h } + SmudgingNoiseShareComputation { configs, expected_secret_commitment, e_sm_secret, y, h } } /// Main verification function - pub fn verify(self) -> [[Field; L]; N_PARTIES] { + pub fn execute(self) -> [[Field; L]; N_PARTIES] { // Step 1: Verify secret commitment matches expected self.verify_secret_commitment(); @@ -174,20 +174,20 @@ impl(self.secret_e_sm) + compute_share_computation_e_sm_commitment::(self.e_sm_secret) == self.expected_secret_commitment, "ESM commitment mismatch", ); } - /// Verifies secret consistency: `y[i][j][0] == secret_e_sm[j][i]` for all i, j. + /// Verifies secret consistency: `y[i][j][0] == e_sm_secret[j][i]` for all i, j. /// /// This function ensures that for each coefficient i and CRT basis j, the share /// at party ID 0 equals the corresponding secret coefficient for that modulus. /// This is a fundamental property of Shamir secret sharing where the secret is the /// evaluation of the sharing polynomial at point 0. /// - /// secret_e_sm[j] is the RNS representation at modulus j, so y[i][j][0] varies per modulus. + /// e_sm_secret[j] is the RNS representation at modulus j, so y[i][j][0] varies per modulus. /// /// # Panics /// The circuit will fail if secret consistency doesn't hold for any @@ -195,7 +195,7 @@ impl= 1 must be in [0, q_j) for each CRT modulus q_j /// -/// These bounds are critical for security and correctness of the threshold BFV scheme. +/// These bounds are critical for security and correctness of the Threshold scheme. /// /// # Panics /// This function will cause the circuit to fail if any value is outside @@ -282,8 +282,11 @@ pub fn commit_to_party_shares( for party_idx in 0..N_PARTIES { for mod_idx in 0..L { - commitments[party_idx][mod_idx] = - compute_spm_commitment_from_shares::(y, party_idx, mod_idx); + commitments[party_idx][mod_idx] = compute_share_encryption_commitment_from_shares::( + y, + party_idx, + mod_idx, + ); } } diff --git a/circuits/lib/src/core/bfv_dec.nr b/circuits/lib/src/core/dkg/share_decryption.nr similarity index 82% rename from circuits/lib/src/core/bfv_dec.nr rename to circuits/lib/src/core/dkg/share_decryption.nr index 83308dfc84..1ffe3a09a0 100644 --- a/circuits/lib/src/core/bfv_dec.nr +++ b/circuits/lib/src/core/dkg/share_decryption.nr @@ -5,17 +5,17 @@ // or FITNESS FOR A PARTICULAR PURPOSE. use crate::math::commitments::{ - compute_aggregated_shares_commitment, compute_spm_commitment_from_message, + compute_aggregated_shares_commitment, compute_share_encryption_commitment_from_message, }; use crate::math::polynomial::Polynomial; -/// BFV Decryption Commitment Verification (Circuit 4). +/// Share Decryption Commitment Verification (Circuit 4). /// /// Verifies: /// 1. Each decrypted share from H honest parties matches its commitment from Circuit 3 /// 2. Computes sum of all shares /// 3. Returns commitment to aggregated shares -pub struct BfvDecCommitVerify { +pub struct ShareDecryption { /// Expected commitments from Circuit 3 for H honest parties: [party_idx][mod_idx] /// (public witness) expected_commitments: [[Field; L]; H], @@ -25,12 +25,12 @@ pub struct BfvDecCommitVerify; L]; H], } -impl BfvDecCommitVerify { +impl ShareDecryption { pub fn new( expected_commitments: [[Field; L]; H], decrypted_shares: [[Polynomial; L]; H], ) -> Self { - BfvDecCommitVerify { expected_commitments, decrypted_shares } + ShareDecryption { expected_commitments, decrypted_shares } } /// Verifies all decrypted shares match their expected commitments @@ -38,7 +38,7 @@ impl BfvDecCommitVerify( + compute_share_encryption_commitment_from_message::( self.decrypted_shares[party_idx][mod_idx], ) == self.expected_commitments[party_idx][mod_idx], @@ -70,7 +70,7 @@ impl BfvDecCommitVerify Field { + pub fn execute(self) -> Field { // Step 1: Verify all commitments match self.verify_commitments(); diff --git a/circuits/lib/src/core/bfv_enc.nr b/circuits/lib/src/core/dkg/share_encryption.nr similarity index 92% rename from circuits/lib/src/core/bfv_enc.nr rename to circuits/lib/src/core/dkg/share_encryption.nr index 354f65ce8c..1f48c41d53 100644 --- a/circuits/lib/src/core/bfv_enc.nr +++ b/circuits/lib/src/core/dkg/share_encryption.nr @@ -4,14 +4,15 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. +use crate::math::commitments::compute_dkg_pk_commitment; use crate::math::commitments::{ - compute_bfv_enc_challenge, compute_pk_bfv_commitment, compute_spm_commitment_from_message, + compute_share_encryption_challenge, compute_share_encryption_commitment_from_message, }; use crate::math::helpers::flatten; use crate::math::modulo::U128::ModU128; use crate::math::polynomial::Polynomial; -/// Cryptographic parameters for BFV encryption circuit. +/// Cryptographic parameters for DKG share encryption circuit. pub struct Configs { /// Plaintext modulus t pub t: Field, @@ -79,14 +80,14 @@ impl Configs { } } -/// BFV Encryption Circuit (Circuit 3). +/// DKG Share Encryption Circuit (Circuit 3). /// /// Verifies: /// 1. Public key commitment matches expected (from Circuit 0) /// 2. Message commitment matches expected (from SK shares circuit) -/// 3. Correct BFV encryption: ct0[l] = pk0[l] * u + e0[l] + k1 * k0[l] + r1[l] * q[l] + r2[l] * (X^N + 1) +/// 3. Correct DKG share encryption: ct0[l] = pk0[l] * u + e0[l] + k1 * k0[l] + r1[l] * q[l] + r2[l] * (X^N + 1) /// and ct1[l] = pk1[l] * u + e1 + p2[l] * (X^N + 1) + p1[l] * q[l] -pub struct EncryptionBfv { +pub struct ShareEncryption { /// Circuit parameters configs: Configs, /// Expected commitment to public key (from Circuit 0) @@ -125,7 +126,7 @@ pub struct EncryptionBfv; L], } -impl EncryptionBfv { +impl ShareEncryption { pub fn new( configs: Configs, expected_pk_commitment: Field, @@ -145,7 +146,7 @@ impl; L], p2is: [Polynomial; L], ) -> Self { - EncryptionBfv { + ShareEncryption { configs, expected_pk_commitment, expected_message_commitment, @@ -169,7 +170,7 @@ impl(self.pk0is, self.pk1is) + compute_dkg_pk_commitment::(self.pk0is, self.pk1is) == self.expected_pk_commitment, "Public key commitment mismatch", ); @@ -178,7 +179,7 @@ impl(self.message) + compute_share_encryption_commitment_from_message::(self.message) == self.expected_message_commitment, "Message commitment mismatch", ); @@ -260,7 +261,7 @@ impl) -> Vec { let inputs = self.payload(k1); - compute_bfv_enc_challenge::(inputs) + compute_share_encryption_challenge::(inputs) } - /// Verifies BFV encryption constraints using Fiat-Shamir challenges and the Schwartz-Zippel lemma + /// Verifies DKG encryption constraints using Fiat-Shamir challenges and the Schwartz-Zippel lemma fn verify_evaluations(self, gammas: Vec, k1: Polynomial) { let gamma = gammas.get(0); let cyclo_at_gamma = gamma.pow_32(N as Field) + 1; diff --git a/circuits/lib/src/core/mod.nr b/circuits/lib/src/core/mod.nr index d61708018d..7f7f3382b1 100644 --- a/circuits/lib/src/core/mod.nr +++ b/circuits/lib/src/core/mod.nr @@ -4,12 +4,5 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -pub mod bfv_pk; -pub mod trbfv_pk; -pub mod bfv_dec; -pub mod bfv_enc; -pub mod greco; -pub mod trbfv_dec_share; -pub mod trbfv_verify_shares; -pub mod trbfv_dec_shares_agg; -pub mod trbfv_pk_agg; +pub mod dkg; +pub mod threshold; diff --git a/circuits/lib/src/core/threshold/decrypted_shares_aggregation.nr b/circuits/lib/src/core/threshold/decrypted_shares_aggregation.nr new file mode 100644 index 0000000000..ff1f2c432d --- /dev/null +++ b/circuits/lib/src/core/threshold/decrypted_shares_aggregation.nr @@ -0,0 +1,403 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +use crate::math::modulo::U128::ModU128; +use crate::math::polynomial::Polynomial; +use dep::bignum::BigNum; +use dep::bignum::bignum::to_field; +use dep::bignum::SecureThreshold8192; + +/// Cryptographic parameters for decryption share aggregation circuit. +pub struct Configs { + /// CRT moduli: [q_0, q_1, ..., q_{L-1}] + pub qis: [Field; L], + /// Plaintext modulus (typically denoted as `t`) + pub plaintext_modulus: Field, + /// Precomputed value: `-Q^(-1) mod t` where Q is the product of all CRT moduli + pub q_inverse_mod_t: Field, +} + +impl Configs { + pub fn new(qis: [Field; L], plaintext_modulus: Field, q_inverse_mod_t: Field) -> Self { + Configs { qis, plaintext_modulus, q_inverse_mod_t } + } +} + +/// Decrypted Shares Aggregation Circuit (Circuit 7) using BigNum +/// for large Q values. +/// +/// Verifies: +/// 1. Lagrange interpolation to compute u^{(l)} for each CRT basis +/// 2. CRT reconstruction: u^{(l)} + r^{(l)} * q_l = u_global +/// 3. Decoding verification: message = -Q^{-1} * (t * u_global)_Q mod t +pub struct DecryptedSharesAggregationBigNum { + /// Circuit parameters including crypto constants + configs: Configs, + + /// Decryption shares from t+1 parties (public witnesses) + decryption_shares: [[Polynomial; L]; T + 1], + + /// Party IDs (x-coordinates) for interpolation (public witnesses) + /// Note: Must be in strictly increasing order for correct Lagrange sign computation + party_ids: [Field; T + 1], + + /// Message polynomial m(x) (public witness) + message: Polynomial, + + /// Global u polynomial (secret witness) + u_global: Polynomial, + + /// CRT quotient polynomials (secret witnesses) + crt_quotients: [Polynomial; L], +} +/// Decrypted Shares Aggregation Circuit (Circuit 7) using modular arithmetic +/// +/// Verifies: +/// 1. Lagrange interpolation to compute u^{(l)} for each CRT basis +/// 2. CRT reconstruction: u^{(l)} + r^{(l)} * q_l = u_global +/// 3. Decoding verification: message = -Q^{-1} * (t * u_global)_Q mod t +pub struct DecryptedSharesAggregationModular { + /// Circuit parameters including crypto constants + configs: Configs, + + /// Decryption shares from t+1 parties (public witnesses) + decryption_shares: [[Polynomial; L]; T + 1], + + /// Party IDs (x-coordinates) for interpolation (public witnesses) + /// Note: Must be in strictly increasing order for correct Lagrange sign computation + party_ids: [Field; T + 1], + + /// Message polynomial m(x) (public witness) + message: Polynomial, + + /// Global u polynomial (secret witness) + u_global: Polynomial, + + /// CRT quotient polynomials (secret witnesses) + crt_quotients: [Polynomial; L], +} + +impl DecryptedSharesAggregationBigNum { + pub fn new( + configs: Configs, + decryption_shares: [[Polynomial; L]; T + 1], + party_ids: [Field; T + 1], + message: Polynomial, + u_global: Polynomial, + crt_quotients: [Polynomial; L], + ) -> Self { + DecryptedSharesAggregationBigNum { + configs, + decryption_shares, + party_ids, + message, + u_global, + crt_quotients, + } + } + + /// Main verification function + pub fn execute(self) { + // Step 1: Compute Lagrange coefficients in-circuit + let lagrange_coeffs = compute_all_lagrange_coeffs::(self.configs.qis, self.party_ids); + + // Step 2: Compute u^{(l)} for each CRT basis via Lagrange interpolation + let u_crts = compute_crt_components::( + self.configs.qis, + self.decryption_shares, + lagrange_coeffs, + ); + + // Step 3: Verify CRT reconstruction: u^{(l)} + r^{(l)} * q_l = u_global + verify_crt_reconstruction::( + self.configs.qis, + self.u_global, + self.crt_quotients, + u_crts, + ); + + // Step 4: Verify decoding + self.verify_decoding(); + } + + /// Verifies decoding using BigNum for large Q values + fn verify_decoding(self) { + // Compute Q as product of all CRT moduli + let mut q_modulus = 1 as Field; + for l in 0..L { + q_modulus *= self.configs.qis[l]; + } + + // For centered arithmetic + let q_bn = SecureThreshold8192::from(q_modulus); + + let q_half_bn = q_bn.udiv(SecureThreshold8192::from(2)); + + for coeff_idx in 0..MAX_MSG_NON_ZERO_COEFFS { + // Compute (t * u_global) mod Q using BigNum + let u_bn = SecureThreshold8192::from(self.u_global.coefficients[coeff_idx]); + let t_bn = SecureThreshold8192::from(self.configs.plaintext_modulus); + let u_bn_mod_q = u_bn.umod(q_bn); + let t_bn_mod_q = t_bn.umod(q_bn); + let t_times_u_bn_q = (t_bn_mod_q * u_bn_mod_q).umod(q_bn); + + let m = ModU128::new(self.configs.plaintext_modulus); + + // Check if centering is needed + let needs_centering = t_times_u_bn_q > q_half_bn; + + let computed_message = if needs_centering { + // When (t*u) mod Q >= Q/2: treat as negative in centered form + // Centered value is conceptually negative: (t_times_u_mod_q - Q) + // -Q^{-1} * (negative) = positive result + let centered_positive = q_bn - t_times_u_bn_q; + let centered_positive_mod_t = centered_positive.umod(t_bn); + let centered_field = to_field(centered_positive_mod_t); + m.mul_mod(self.configs.q_inverse_mod_t, centered_field) + } else { + // When (t*u) mod Q < Q/2: stays positive in centered form + // -Q^{-1} * (positive) = negative result = t - result + let t_times_u_bn_t = t_times_u_bn_q.umod(t_bn); + let t_times_u_field = to_field(t_times_u_bn_t); + let product = m.mul_mod(self.configs.q_inverse_mod_t, t_times_u_field); + if product == 0 { + 0 + } else { + self.configs.plaintext_modulus - product + } + }; + + // Verify: only check non-zero coefficients + if self.message.coefficients[coeff_idx] != 0 { + assert(computed_message == self.message.coefficients[coeff_idx]); + } + } + } +} + +impl DecryptedSharesAggregationModular { + pub fn new( + configs: Configs, + decryption_shares: [[Polynomial; L]; T + 1], + party_ids: [Field; T + 1], + message: Polynomial, + u_global: Polynomial, + crt_quotients: [Polynomial; L], + ) -> Self { + DecryptedSharesAggregationModular { + configs, + decryption_shares, + party_ids, + message, + u_global, + crt_quotients, + } + } + + /// Alternative verification function using efficient modular arithmetic without BigNum. + /// + /// Uses `ModU128` for decoding verification instead of BigNum. More efficient when + /// Q (the product of all CRT moduli) fits within u128 (e.g., 72 bits for insecure parameter sets). + pub fn execute(self) { + // Step 1: Compute Lagrange coefficients in-circuit + let lagrange_coeffs = compute_all_lagrange_coeffs::(self.configs.qis, self.party_ids); + + // Step 2: Compute u^{(l)} for each CRT basis via Lagrange interpolation + let u_crts = compute_crt_components::( + self.configs.qis, + self.decryption_shares, + lagrange_coeffs, + ); + + // Step 3: Verify CRT reconstruction: u^{(l)} + r^{(l)} * q_l = u_global + verify_crt_reconstruction::( + self.configs.qis, + self.u_global, + self.crt_quotients, + u_crts, + ); + // Step 4: Verify decoding + self.verify_decoding(); + } + + /// Alternative decoding verification using the formula: + /// message = -Q^{-1} * (t * u_global)_Q mod t + fn verify_decoding(self) { + let t: Field = self.configs.plaintext_modulus; + // Compute Q as product of all CRT moduli + let mut q_modulus = 1; + for l in 0..L { + q_modulus *= self.configs.qis[l]; + } + + // For centered arithmetic + let q_half = q_modulus as u128 / 2; + + for coeff_idx in 0..MAX_MSG_NON_ZERO_COEFFS { + // Compute (t * u_global) mod Q using BigNum + let q_mod = ModU128::new(q_modulus); + let t_mod = ModU128::new(t); + + // Compute (t * u_global) mod Q using modular arithmetic functions + let t_times_u_mod_q = q_mod.mul_mod(t, self.u_global.coefficients[coeff_idx]); + let needs_centering = (t_times_u_mod_q as u128) > q_half; + + let computed_message = if needs_centering { + // When (t*u) mod Q >= Q/2: treat as negative in centered form + // Centered value is conceptually negative: (t_times_u_mod_q - Q) + // -Q^{-1} * (negative) = positive result + let centered_positive = q_modulus - t_times_u_mod_q; + let centered_positive_mod_t = t_mod.reduce_mod(centered_positive); + + t_mod.mul_mod(self.configs.q_inverse_mod_t, centered_positive_mod_t) + } else { + // When (t*u) mod Q < Q/2: stays positive in centered form + // -Q^{-1} * (positive) = negative result = t - result + let t_times_u_mod_t = t_mod.reduce_mod(t_times_u_mod_q); + let product = t_mod.mul_mod(self.configs.q_inverse_mod_t, t_times_u_mod_t); + if product == 0 { + 0 + } else { + t - product + } + }; + + // Verify: only check non-zero coefficients + if self.message.coefficients[coeff_idx] != 0 { + assert(computed_message == self.message.coefficients[coeff_idx]); + } + } + } +} + +/// Computes all Lagrange coefficients using optimized modular arithmetic +pub fn compute_all_lagrange_coeffs( + qis: [Field; L], + party_ids: [Field; T + 1], +) -> [[Field; T + 1]; L] { + let mut lagrange_coeffs = [[0 as Field; T + 1]; L]; + + // Step 1: Cache |x_i - x_j| factors for all party pairs + let mut diffs = [[0 as Field; T + 1]; T + 1]; + for i in 0..(T + 1) { + for j in (i + 1)..(T + 1) { + let diff = party_ids[j] - party_ids[i]; + diffs[i][j] = diff; + diffs[j][i] = diff; + } + } + + // Step 2: Determine signs (same for all parties within a basis) + let numerator_sign_negative = (T % 2) == 1; + + // Step 3: For each CRT basis, compute Lagrange coefficients + for basis_idx in 0..L { + let q_l = qis[basis_idx]; + let m = ModU128::new(q_l); + + // Compute product of all party IDs: PRODUCT(j=0..T) x_j mod q_l + let mut product_x = 1 as Field; + for j in 0..(T + 1) { + product_x = m.mul_mod(product_x, party_ids[j]); + } + + // For each party i, compute L_i(0) mod q_l + for party_idx in 0..(T + 1) { + // Numerator (absolute value): PRODUCT(j!=party_idx) x_j + let numerator_abs = m.div_mod(product_x, party_ids[party_idx]); + + // Denominator (absolute value): PRODUCT(j!=party_idx) |x_party_idx - x_j| + let mut denominator_abs = 1 as Field; + for j in 0..(T + 1) { + if j != party_idx { + denominator_abs = m.mul_mod(denominator_abs, diffs[party_idx][j]); + } + } + + // Determine denominator sign + let num_greater = T - party_idx; + let denom_sign_negative = (num_greater % 2) == 1; + + // Compute unsigned result: |numerator| / |denominator| mod q_l + let result_abs = m.div_mod(numerator_abs, denominator_abs); + + // Apply combined sign + let should_negate = numerator_sign_negative != denom_sign_negative; + let result = if should_negate { + m.reduce_mod(q_l - result_abs) + } else { + result_abs + }; + + lagrange_coeffs[basis_idx][party_idx] = result; + } + } + + lagrange_coeffs +} + +/// Computes u^{(l)} for each CRT basis via Lagrange interpolation +pub fn compute_crt_components( + qis: [Field; L], + decryption_shares: [[Polynomial; L]; T + 1], + lagrange_coeffs: [[Field; T + 1]; L], +) -> [Polynomial; L] { + let mut u_crts: [Polynomial; L] = + [Polynomial::new([0; MAX_MSG_NON_ZERO_COEFFS]); L]; + + for basis_idx in 0..L { + let q_l = qis[basis_idx]; + let m = ModU128::new(q_l); + let mut u_coeffs = [0 as Field; MAX_MSG_NON_ZERO_COEFFS]; + + // For each coefficient position + for coeff_idx in 0..MAX_MSG_NON_ZERO_COEFFS { + let mut u_coeff = 0 as Field; + + // Sum all contributions: u = SUM(i=0..T) [d_i * L_i(0)] mod q_l + for party_idx in 0..(T + 1) { + let d_coeff = decryption_shares[party_idx][basis_idx].coefficients[coeff_idx]; + let l_i_0 = lagrange_coeffs[basis_idx][party_idx]; + + let term = m.mul_mod(d_coeff, l_i_0); + u_coeff = m.reduce_mod(u_coeff + term); + } + + u_coeffs[coeff_idx] = u_coeff; + } + + u_crts[basis_idx] = Polynomial::new(u_coeffs); + } + + u_crts +} + +/// Verifies CRT reconstruction: u^{(l)} + r^{(l)} * q_l = u_global for all bases l +pub fn verify_crt_reconstruction( + qis: [Field; L], + u_global: Polynomial, + crt_quotients: [Polynomial; L], + u_crts: [Polynomial; L], +) { + for basis_idx in 0..L { + let q_l = qis[basis_idx]; + + // Compute r^{(l)} * q_l + let r_times_q = crt_quotients[basis_idx].mul_scalar(q_l); + + // Compute u^{(l)} + r^{(l)} * q_l + let reconstructed = u_crts[basis_idx].add(r_times_q); + + // Verify: u^{(l)} + r^{(l)} * q_l = u_global + // Must hold for every coefficient + for coeff_idx in 0..MAX_MSG_NON_ZERO_COEFFS { + assert( + reconstructed.coefficients[coeff_idx] == u_global.coefficients[coeff_idx], + "CRT reconstruction verification failed", + ); + } + } +} diff --git a/circuits/lib/src/core/threshold/mod.nr b/circuits/lib/src/core/threshold/mod.nr new file mode 100644 index 0000000000..bb5c2a7eba --- /dev/null +++ b/circuits/lib/src/core/threshold/mod.nr @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: LGPL-3.0-only +// +// This file is provided WITHOUT ANY WARRANTY; +// without even the implied warranty of MERCHANTABILITY +// or FITNESS FOR A PARTICULAR PURPOSE. + +pub mod pk_generation; +pub mod pk_aggregation; +pub mod user_data_encryption; +pub mod share_decryption; +pub mod decrypted_shares_aggregation; diff --git a/circuits/lib/src/core/trbfv_pk_agg.nr b/circuits/lib/src/core/threshold/pk_aggregation.nr similarity index 70% rename from circuits/lib/src/core/trbfv_pk_agg.nr rename to circuits/lib/src/core/threshold/pk_aggregation.nr index a79730e95a..83142c7931 100644 --- a/circuits/lib/src/core/trbfv_pk_agg.nr +++ b/circuits/lib/src/core/threshold/pk_aggregation.nr @@ -4,11 +4,11 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -use crate::math::commitments::{compute_pk_agg_commitment, compute_pk_trbfv_commitment}; +use crate::math::commitments::compute_pk_aggregation_commitment; use crate::math::modulo::U128::ModU128; use crate::math::polynomial::Polynomial; -/// Cryptographic parameters for TRBFV public key aggregation circuit. +/// Cryptographic parameters for Threshold public key aggregation circuit. pub struct Configs { /// CRT moduli for each basis: [q_0, q_1, ..., q_{L-1}] pub qis: [Field; L], @@ -20,19 +20,19 @@ impl Configs { } } -/// TRBFV Public Key Aggregation (Circuit 5). +/// Public Key Aggregation (Circuit 5). /// /// Verifies that for each CRT basis l and each coefficient i: /// - pk0_agg[l][i] = sum_h(pk0[h][l][i]) mod q_l /// - pk1_agg[l][i] = sum_h(pk1[h][l][i]) mod q_l -pub struct TrbfvPublicKeyAggregation { +pub struct PkAggregation { /// Circuit parameters including CRT moduli configs: Configs, - /// Expected commitments to public key TRBFV (from C1) + /// Expected commitments to threshold public key (from C1) /// We need one commitment from each honest party (H). /// (public witness) - expected_pk_trbfv_commitments: [Field; H], + expected_threshold_pk_commitments: [Field; H], /// Individual public keys from H honest parties /// pk0[party_idx][basis_idx] - first component of public key for each party and CRT basis @@ -51,31 +51,24 @@ pub struct TrbfvPublicKeyAggregation; L], } -impl TrbfvPublicKeyAggregation { +impl PkAggregation { pub fn new( configs: Configs, - expected_pk_trbfv_commitments: [Field; H], + expected_threshold_pk_commitments: [Field; H], pk0: [[Polynomial; L]; H], pk1: [[Polynomial; L]; H], pk0_agg: [Polynomial; L], pk1_agg: [Polynomial; L], ) -> Self { - TrbfvPublicKeyAggregation { - configs, - expected_pk_trbfv_commitments, - pk0, - pk1, - pk0_agg, - pk1_agg, - } + PkAggregation { configs, expected_threshold_pk_commitments, pk0, pk1, pk0_agg, pk1_agg } } - /// Verifies that pk trbfv hashes to each expected_pk_trbfv_commitment + /// Verifies that pk hashes to each expected_threshold_pk_commitment fn verify_pk_commitments(self) { for i in 0..H { assert( - compute_pk_trbfv_commitment::(self.pk0[i], self.pk1[i]) - == self.expected_pk_trbfv_commitments[i], + compute_pk_aggregation_commitment::(self.pk0[i], self.pk1[i]) + == self.expected_threshold_pk_commitments[i], "PK commitment mismatch", ); } @@ -109,18 +102,18 @@ impl TrbfvPublicKeyAggregat } /// Main verification function - /// Returns commitment to aggregated public key - pub fn verify(self) -> Field { + /// Returns commitment to aggregated threshold public key + pub fn execute(self) -> Field { // 0. Verify pk commitments self.verify_pk_commitments(); - // 1. Verify pk0 & pk1 aggregations for each basis + // 1. Verify pk0 & pk1 aggregations for each CRT basis for basis_idx in 0..L { self.verify_pk_for_basis(self.pk0, self.pk0_agg, basis_idx); self.verify_pk_for_basis(self.pk1, self.pk1_agg, basis_idx); } - // 2. Commit to aggregated public key - compute_pk_agg_commitment::(self.pk0_agg, self.pk1_agg) + // 2. Commit to aggregated threshold public key + compute_pk_aggregation_commitment::(self.pk0_agg, self.pk1_agg) } } diff --git a/circuits/lib/src/core/trbfv_pk.nr b/circuits/lib/src/core/threshold/pk_generation.nr similarity index 84% rename from circuits/lib/src/core/trbfv_pk.nr rename to circuits/lib/src/core/threshold/pk_generation.nr index bb4175c067..e4ccc80171 100644 --- a/circuits/lib/src/core/trbfv_pk.nr +++ b/circuits/lib/src/core/threshold/pk_generation.nr @@ -5,13 +5,13 @@ // or FITNESS FOR A PARTICULAR PURPOSE. use crate::math::commitments::{ - compute_pk_trbfv_challenge, compute_pk_trbfv_commitment, compute_secret_e_sm_commitment, - compute_secret_sk_commitment, + compute_share_computation_e_sm_commitment, compute_share_computation_sk_commitment, + compute_threshold_pk_challenge, compute_threshold_pk_commitment, }; use crate::math::helpers::flatten; use crate::math::polynomial::Polynomial; -/// Cryptographic parameters for TRBFV public key generation circuit. +/// Cryptographic parameters for threshold public key generation circuit. pub struct Configs { /// CRT moduli: [q_0, q_1, ..., q_{L-1}] pub qis: [Field; L], @@ -40,7 +40,7 @@ impl Configs { } } -/// TRBFV Public Key Verification (Circuit 1). +/// Correct Threshold Public Key Generation Circuit (Circuit 1). /// /// Verifies: /// 1. Range checks on all secret witnesses (secret key, error, smudging noise, quotients) @@ -48,10 +48,10 @@ impl Configs { /// and pk1_i = a_i /// /// Outputs: -/// - commit(sk_trbfv) -/// - commit(pk_trbfv) +/// - commit(threshold_sk) +/// - commit(threshold_pk) /// - commit(e_sm) -pub struct TrbfvPublicKey { +pub struct PkGeneration { /// Cryptographic parameters including bounds, moduli, and constants. configs: Configs, @@ -77,14 +77,14 @@ pub struct TrbfvPublicKey; L], - /// TRBFV public key components (committed witnesses) + /// Threshold public key components (committed witnesses) /// pk0[i] is the first component of the public key for modulus i pk0: [Polynomial; L], /// pk1[i] is the second component of the public key for modulus i (should equal a[i]) pk1: [Polynomial; L], } -impl TrbfvPublicKey { +impl PkGeneration { pub fn new( configs: Configs, a: [Polynomial; L], @@ -96,7 +96,7 @@ impl; L], pk1: [Polynomial; L], ) -> Self { - TrbfvPublicKey { configs, a, eek, sk, e_sm, r1, r2, pk0, pk1 } + PkGeneration { configs, a, eek, sk, e_sm, r1, r2, pk0, pk1 } } /// Flattens all witness data into a single array for Fiat-Shamir challenge generation @@ -126,16 +126,17 @@ impl (Field, Field, Field) { + /// Main execution function + /// Returns (commit(threshold_sk), commit(threshold_pk), commit(e_sm)) + pub fn execute(self) -> (Field, Field, Field) { // Step 1: Perform range checks on all secret witness values self.perform_range_checks(); // Step 2: Compute commitments - let sk_commitment = compute_secret_sk_commitment::(self.sk); - let e_sm_commitment = compute_secret_e_sm_commitment::(self.e_sm); - let pk_commitment = compute_pk_trbfv_commitment::(self.pk0, self.pk1); + let sk_commitment = compute_share_computation_sk_commitment::(self.sk); + let e_sm_commitment = + compute_share_computation_e_sm_commitment::(self.e_sm); + let pk_commitment = compute_threshold_pk_commitment::(self.pk0, self.pk1); // Step 3: Generate Fiat-Shamir challenges using commitments let gammas = self.generate_challenge(sk_commitment, pk_commitment, e_sm_commitment); @@ -159,7 +160,7 @@ impl Vec { let inputs = self.payload(sk_commitment, pk_commitment, e_sm_commitment); - compute_pk_trbfv_challenge::(inputs) + compute_threshold_pk_challenge::(inputs) } /// Performs range checks on all secret witness values @@ -189,7 +190,7 @@ impl { /// CRT moduli: [q_0, q_1, ..., q_{L-1}] pub qis: [Field; L], @@ -24,23 +26,23 @@ impl Configs { } } -/// TRBFV Decryption Share Correctness (Circuit 6). +/// Threshold Share Decryption (Circuit 6). /// /// Verifies: -/// 1. Commitment to s matches expected (from BFV decryption circuit) -/// 2. Commitment to e matches expected (from BFV decryption circuit) +/// 1. Commitment to sk matches expected (from DKG decryption circuit) +/// 2. Commitment to e_sm matches expected (from DKG decryption circuit) /// 3. Correct computation: d = c_0 + c_1 * s + e + r_2 * (X^N + 1) + r_1 * q_i -pub struct DecryptionShare { +pub struct ShareDecryption { /// Circuit parameters including bounds and cryptographic constants configs: Configs, - /// Expected commitment to aggregated shares s (from BFV decryption circuit) + /// Expected commitment to aggregated sk shares (from DKG decryption circuit) /// (public witness) - expected_s_commitment: Field, + expected_sk_commitment: Field, - /// Expected commitment to aggregated noise e (from BFV decryption circuit) + /// Expected commitment to aggregated e_sm shares (from DKG decryption circuit) /// (public witness) - expected_e_commitment: Field, + expected_e_sm_commitment: Field, /// Ciphertext components (public witnesses) /// c_0 components for each CRT basis (degree N-1 polynomials with N coefficients) @@ -48,12 +50,12 @@ pub struct DecryptionShare; L], - /// Aggregated sum of shares s (secret witness) - s: [Polynomial; L], + /// Aggregated sum of sk shares (secret witness) + sk: [Polynomial; L], - /// Aggregated sum of noise e (secret witness, direct input) - /// e[basis] - sum of noise shares for each CRT basis (degree N-1 with N coefficients) - e: [Polynomial; L], + /// Aggregated sum of e_sm shares (secret witness, direct input) + /// e_sm[basis] - sum of e_sm shares for each CRT basis (degree N-1 with N coefficients) + e_sm: [Polynomial; L], /// Quotient polynomials for lifting to Z (secret witnesses) r_1: [Polynomial<2 * N - 1>; L], @@ -64,47 +66,47 @@ pub struct DecryptionShare; L], } -impl DecryptionShare { +impl ShareDecryption { pub fn new( configs: Configs, - expected_s_commitment: Field, - expected_e_commitment: Field, + expected_sk_commitment: Field, + expected_e_sm_commitment: Field, c_0: [Polynomial; L], c_1: [Polynomial; L], - s: [Polynomial; L], - e: [Polynomial; L], + sk: [Polynomial; L], + e_sm: [Polynomial; L], r_1: [Polynomial<2 * N - 1>; L], r_2: [Polynomial; L], d: [Polynomial; L], ) -> Self { - DecryptionShare { + ShareDecryption { configs, - expected_s_commitment, - expected_e_commitment, + expected_sk_commitment, + expected_e_sm_commitment, c_0, c_1, - s, - e, + sk, + e_sm, r_1, r_2, d, } } - /// Verifies that s hashes to expected_s_commitment - fn verify_s_commitment(self) { + /// Verifies that aggregated secret shares hash to expected_sk_commitment + fn verify_agg_sk_commitment(self) { assert( - compute_aggregated_shares_commitment::(self.s) - == self.expected_s_commitment, + compute_aggregated_shares_commitment::(self.sk) + == self.expected_sk_commitment, "S commitment mismatch", ); } - /// Verifies that e hashes to expected_e_commitment - fn verify_e_commitment(self) { + /// Verifies that aggregated noise shares hash to expected_e_sm_commitment + fn verify_agg_e_sm_commitment(self) { assert( - compute_aggregated_shares_commitment::(self.e) - == self.expected_e_commitment, + compute_aggregated_shares_commitment::(self.e_sm) + == self.expected_e_sm_commitment, "E commitment mismatch", ); } @@ -116,8 +118,8 @@ impl(inputs, self.c_0); @@ -153,12 +155,12 @@ impl( + self.sk[basis_idx].range_check_2bounds::( self.configs.r2_bounds[basis_idx], self.configs.r2_bounds[basis_idx], ); - self.e[basis_idx].range_check_2bounds::( + self.e_sm[basis_idx].range_check_2bounds::( self.configs.r2_bounds[basis_idx], self.configs.r2_bounds[basis_idx], ); @@ -232,7 +234,7 @@ impl Field { let inputs = self.payload(); - compute_dec_share_challenge::(inputs) + compute_threshold_share_decryption_challenge::(inputs) } /// Verifies the lifted decryption share computation formula for a specific CRT basis using the Schwartz-Zippel lemma. @@ -263,8 +265,8 @@ impl Configs { } } -/// Greco: Correct Encryption Circuit under BFV public key +/// Correct User Data Encryption Circuit under Threshold public key /// /// Verifies: /// 1. Range checks on all polynomial coefficients @@ -85,7 +85,7 @@ impl Configs { /// /// DISCLAIMER: Ported from Halo2 circuit by Greco paper authors @ PSE. /// Halo2 implementation: https://github.com/privacy-scaling-explorations/greco -pub struct Greco { +pub struct UserDataEncryption { configs: Configs, pk_commitment: Field, pk0is: [Polynomial; L], @@ -104,7 +104,7 @@ pub struct Greco; L], } -impl Greco { +impl UserDataEncryption { pub fn new( configs: Configs, pk_commitment: Field, @@ -122,8 +122,8 @@ impl; L], p1is: [Polynomial<2 * N - 1>; L], p2is: [Polynomial; L], - ) -> Greco { - Greco { + ) -> UserDataEncryption { + UserDataEncryption { configs, pk_commitment, pk0is, @@ -225,7 +225,7 @@ impl bool { + pub fn execute(self) -> bool { // Step 1: Perform range checks on all polynomial coefficients self.check_range_bounds(); @@ -244,7 +244,7 @@ impl Vec { - compute_greco_challenge_commitment::( + compute_user_data_encryption_challenge_commitment::( self.pk0is, self.pk1is, self.gammas_payload(), diff --git a/circuits/lib/src/core/trbfv_dec_shares_agg.nr b/circuits/lib/src/core/trbfv_dec_shares_agg.nr deleted file mode 100644 index c5416964a8..0000000000 --- a/circuits/lib/src/core/trbfv_dec_shares_agg.nr +++ /dev/null @@ -1,331 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use crate::math::modulo::U128::ModU128; -use crate::math::polynomial::Polynomial; -use dep::bignum::BigNum; -use dep::bignum::bignum::to_field; -use dep::bignum::Enclave_TRBFV_8192; - -/// Cryptographic parameters for decryption share aggregation circuit. -pub struct Configs { - /// CRT moduli: [q_0, q_1, ..., q_{L-1}] - pub qis: [Field; L], - /// Plaintext modulus (typically denoted as `t`) - pub plaintext_modulus: Field, - /// Precomputed value: `-Q^(-1) mod t` where Q is the product of all CRT moduli - pub q_inverse_mod_t: Field, -} - -impl Configs { - pub fn new(qis: [Field; L], plaintext_modulus: Field, q_inverse_mod_t: Field) -> Self { - Configs { qis, plaintext_modulus, q_inverse_mod_t } - } -} - -/// Decryption Share Aggregation Circuit (Circuit 7) -/// -/// Verifies: -/// 1. Lagrange interpolation to compute u^{(l)} for each CRT basis -/// 2. CRT reconstruction: u^{(l)} + r^{(l)} * q_l = u_global -/// 3. Decoding verification: message = -Q^{-1} * (t * u_global)_Q mod t -pub struct DecryptionSharesAggregation { - /// Circuit parameters including crypto constants - configs: Configs, - - /// Decryption shares from t+1 parties (public witnesses) - decryption_shares: [[Polynomial; L]; T + 1], - - /// Party IDs (x-coordinates) for interpolation (public witnesses) - /// Note: Must be in strictly increasing order for correct Lagrange sign computation - party_ids: [Field; T + 1], - - /// Message polynomial m(x) (public witness) - message: Polynomial, - - /// Global u polynomial (secret witness) - u_global: Polynomial, - - /// CRT quotient polynomials (secret witnesses) - crt_quotients: [Polynomial; L], -} - -impl DecryptionSharesAggregation { - pub fn new( - configs: Configs, - decryption_shares: [[Polynomial; L]; T + 1], - party_ids: [Field; T + 1], - message: Polynomial, - u_global: Polynomial, - crt_quotients: [Polynomial; L], - ) -> Self { - DecryptionSharesAggregation { - configs, - decryption_shares, - party_ids, - message, - u_global, - crt_quotients, - } - } - - /// Main verification function - pub fn verify(self) { - // Step 1: Compute Lagrange coefficients in-circuit - let lagrange_coeffs = self.compute_all_lagrange_coeffs(); - - // Step 2: Compute u^{(l)} for each CRT basis via Lagrange interpolation - let u_crts = self.compute_crt_components(lagrange_coeffs); - - // Step 3: Verify CRT reconstruction: u^{(l)} + r^{(l)} * q_l = u_global - self.verify_crt_reconstruction(u_crts); - - // Step 4: Verify decoding - self.verify_decoding(); - } - - /// Alternative verification function using efficient modular arithmetic without BigNum. - /// - /// Uses `ModU128` for decoding verification instead of BigNum. More efficient when - /// Q (the product of all CRT moduli) fits within u128 (e.g., 72 bits for insecure parameter sets). - pub fn verify_no_bn(self) { - // Step 1: Compute Lagrange coefficients in-circuit - let lagrange_coeffs = self.compute_all_lagrange_coeffs(); - - // Step 2: Compute u^{(l)} for each CRT basis via Lagrange interpolation - let u_crts = self.compute_crt_components(lagrange_coeffs); - - // Step 3: Verify CRT reconstruction: u^{(l)} + r^{(l)} * q_l = u_global - self.verify_crt_reconstruction(u_crts); - - // Step 4: Verify decoding - self.verify_decoding_no_bn(); - } - - /// Computes all Lagrange coefficients using optimized modular arithmetic - fn compute_all_lagrange_coeffs(self) -> [[Field; T + 1]; L] { - let mut lagrange_coeffs = [[0 as Field; T + 1]; L]; - - // Step 1: Cache |x_i - x_j| factors for all party pairs - let mut diffs = [[0 as Field; T + 1]; T + 1]; - for i in 0..(T + 1) { - for j in (i + 1)..(T + 1) { - let diff = self.party_ids[j] - self.party_ids[i]; - diffs[i][j] = diff; - diffs[j][i] = diff; - } - } - - // Step 2: Determine signs (same for all parties within a basis) - let numerator_sign_negative = (T % 2) == 1; - - // Step 3: For each CRT basis, compute Lagrange coefficients - for basis_idx in 0..L { - let q_l = self.configs.qis[basis_idx]; - let m = ModU128::new(q_l); - - // Compute product of all party IDs: PRODUCT(j=0..T) x_j mod q_l - let mut product_x = 1 as Field; - for j in 0..(T + 1) { - product_x = m.mul_mod(product_x, self.party_ids[j]); - } - - // For each party i, compute L_i(0) mod q_l - for party_idx in 0..(T + 1) { - // Numerator (absolute value): PRODUCT(j!=party_idx) x_j - let numerator_abs = m.div_mod(product_x, self.party_ids[party_idx]); - - // Denominator (absolute value): PRODUCT(j!=party_idx) |x_party_idx - x_j| - let mut denominator_abs = 1 as Field; - for j in 0..(T + 1) { - if j != party_idx { - denominator_abs = m.mul_mod(denominator_abs, diffs[party_idx][j]); - } - } - - // Determine denominator sign - let num_greater = T - party_idx; - let denom_sign_negative = (num_greater % 2) == 1; - - // Compute unsigned result: |numerator| / |denominator| mod q_l - let result_abs = m.div_mod(numerator_abs, denominator_abs); - - // Apply combined sign - let should_negate = numerator_sign_negative != denom_sign_negative; - let result = if should_negate { - m.reduce_mod(q_l - result_abs) - } else { - result_abs - }; - - lagrange_coeffs[basis_idx][party_idx] = result; - } - } - - lagrange_coeffs - } - - /// Computes u^{(l)} for each CRT basis via Lagrange interpolation - fn compute_crt_components( - self, - lagrange_coeffs: [[Field; T + 1]; L], - ) -> [Polynomial; L] { - let mut u_crts: [Polynomial; L] = - [Polynomial::new([0; MAX_MSG_NON_ZERO_COEFFS]); L]; - - for basis_idx in 0..L { - let q_l = self.configs.qis[basis_idx]; - let m = ModU128::new(q_l); - let mut u_coeffs = [0 as Field; MAX_MSG_NON_ZERO_COEFFS]; - - // For each coefficient position - for coeff_idx in 0..MAX_MSG_NON_ZERO_COEFFS { - let mut u_coeff = 0 as Field; - - // Sum all contributions: u = SUM(i=0..T) [d_i * L_i(0)] mod q_l - for party_idx in 0..(T + 1) { - let d_coeff = - self.decryption_shares[party_idx][basis_idx].coefficients[coeff_idx]; - let l_i_0 = lagrange_coeffs[basis_idx][party_idx]; - - let term = m.mul_mod(d_coeff, l_i_0); - u_coeff = m.reduce_mod(u_coeff + term); - } - - u_coeffs[coeff_idx] = u_coeff; - } - - u_crts[basis_idx] = Polynomial::new(u_coeffs); - } - - u_crts - } - - /// Verifies CRT reconstruction: u^{(l)} + r^{(l)} * q_l = u_global for all bases l - fn verify_crt_reconstruction(self, u_crts: [Polynomial; L]) { - for basis_idx in 0..L { - let q_l = self.configs.qis[basis_idx]; - - // Compute r^{(l)} * q_l - let r_times_q = self.crt_quotients[basis_idx].mul_scalar(q_l); - - // Compute u^{(l)} + r^{(l)} * q_l - let reconstructed = u_crts[basis_idx].add(r_times_q); - - // Verify: u^{(l)} + r^{(l)} * q_l = u_global - // Must hold for every coefficient - for coeff_idx in 0..MAX_MSG_NON_ZERO_COEFFS { - assert( - reconstructed.coefficients[coeff_idx] == self.u_global.coefficients[coeff_idx], - "CRT reconstruction verification failed", - ); - } - } - } - - /// Verifies decoding using BigNum for large Q values - fn verify_decoding(self) { - // Compute Q as product of all CRT moduli - let mut q_modulus = 1 as Field; - for l in 0..L { - q_modulus *= self.configs.qis[l]; - } - - // For centered arithmetic - let q_bn = Enclave_TRBFV_8192::from(q_modulus); - - let q_half_bn = q_bn.udiv(Enclave_TRBFV_8192::from(2)); - - for coeff_idx in 0..MAX_MSG_NON_ZERO_COEFFS { - // Compute (t * u_global) mod Q using BigNum - let u_bn = Enclave_TRBFV_8192::from(self.u_global.coefficients[coeff_idx]); - let t_bn = Enclave_TRBFV_8192::from(self.configs.plaintext_modulus); - let u_bn_mod_q = u_bn.umod(q_bn); - let t_bn_mod_q = t_bn.umod(q_bn); - let t_times_u_bn_q = (t_bn_mod_q * u_bn_mod_q).umod(q_bn); - - let m = ModU128::new(self.configs.plaintext_modulus); - - // Check if centering is needed - let needs_centering = t_times_u_bn_q > q_half_bn; - - let computed_message = if needs_centering { - // When (t*u) mod Q >= Q/2: treat as negative in centered form - // Centered value is conceptually negative: (t_times_u_mod_q - Q) - // -Q^{-1} * (negative) = positive result - let centered_positive = q_bn - t_times_u_bn_q; - let centered_positive_mod_t = centered_positive.umod(t_bn); - let centered_field = to_field(centered_positive_mod_t); - m.mul_mod(self.configs.q_inverse_mod_t, centered_field) - } else { - // When (t*u) mod Q < Q/2: stays positive in centered form - // -Q^{-1} * (positive) = negative result = t - result - let t_times_u_bn_t = t_times_u_bn_q.umod(t_bn); - let t_times_u_field = to_field(t_times_u_bn_t); - let product = m.mul_mod(self.configs.q_inverse_mod_t, t_times_u_field); - if product == 0 { - 0 - } else { - self.configs.plaintext_modulus - product - } - }; - - // Verify: only check non-zero coefficients - if self.message.coefficients[coeff_idx] != 0 { - assert(computed_message == self.message.coefficients[coeff_idx]); - } - } - } - - /// Alternative decoding verification using the formula: - /// message = -Q^{-1} * (t * u_global)_Q mod t - fn verify_decoding_no_bn(self) { - let t: Field = self.configs.plaintext_modulus; - // Compute Q as product of all CRT moduli - let mut q_modulus = 1; - for l in 0..L { - q_modulus *= self.configs.qis[l]; - } - - // For centered arithmetic - let q_half = q_modulus as u128 / 2; - - for coeff_idx in 0..MAX_MSG_NON_ZERO_COEFFS { - // Compute (t * u_global) mod Q using BigNum - let q_mod = ModU128::new(q_modulus); - let t_mod = ModU128::new(t); - - // Compute (t * u_global) mod Q using modular arithmetic functions - let t_times_u_mod_q = q_mod.mul_mod(t, self.u_global.coefficients[coeff_idx]); - let needs_centering = (t_times_u_mod_q as u128) > q_half; - - let computed_message = if needs_centering { - // When (t*u) mod Q >= Q/2: treat as negative in centered form - // Centered value is conceptually negative: (t_times_u_mod_q - Q) - // -Q^{-1} * (negative) = positive result - let centered_positive = q_modulus - t_times_u_mod_q; - let centered_positive_mod_t = t_mod.reduce_mod(centered_positive); - - t_mod.mul_mod(self.configs.q_inverse_mod_t, centered_positive_mod_t) - } else { - // When (t*u) mod Q < Q/2: stays positive in centered form - // -Q^{-1} * (positive) = negative result = t - result - let t_times_u_mod_t = t_mod.reduce_mod(t_times_u_mod_q); - let product = t_mod.mul_mod(self.configs.q_inverse_mod_t, t_times_u_mod_t); - if product == 0 { - 0 - } else { - t - product - } - }; - - // Verify: only check non-zero coefficients - if self.message.coefficients[coeff_idx] != 0 { - assert(computed_message == self.message.coefficients[coeff_idx]); - } - } - } -} diff --git a/circuits/lib/src/lib.nr b/circuits/lib/src/lib.nr index e6338c0881..68f7aa2a96 100644 --- a/circuits/lib/src/lib.nr +++ b/circuits/lib/src/lib.nr @@ -10,7 +10,7 @@ //! - **`math`**: Mathematical utilities including polynomial operations, SAFE sponge //! API implementation, and helper functions for circuit construction. //! - **`configs`**: Cryptographic parameter configurations for different security -//! levels (insecure, production) and different circuit variants (BFV, TRBFV). +//! levels (insecure, production) and different circuit variants (DKG, Threshold). pub mod math; pub mod core; diff --git a/circuits/lib/src/math/commitments.nr b/circuits/lib/src/math/commitments.nr index b75219c113..b7f1ccfa71 100644 --- a/circuits/lib/src/math/commitments.nr +++ b/circuits/lib/src/math/commitments.nr @@ -9,87 +9,87 @@ use crate::math::polynomial::Polynomial; /// DOMAIN SEPARATORS -// Domain separator - "PK_BFV" -pub global DS_PK_BFV: [u8; 64] = [ - 0x50, 0x4b, 0x5f, 0x42, 0x46, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "PK" +pub global DS_PK: [u8; 64] = [ + 0x50, 0x4b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -// Domain separator - "PK_TRBFV" -pub global DS_PK_TRBFV: [u8; 64] = [ - 0x50, 0x4b, 0x5f, 0x54, 0x52, 0x42, 0x46, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "PK_GENERATION" +pub global DS_PK_GENERATION: [u8; 64] = [ + 0x50, 0x4b, 0x5f, 0x47, 0x45, 0x4e, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -// Domain separator - "SECRET" -pub global DS_SECRET: [u8; 64] = [ - 0x53, 0x45, 0x43, 0x52, 0x45, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "SHARE_COMPUTATION" +pub global DS_SHARE_COMPUTATION: [u8; 64] = [ + 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x43, 0x4f, 0x4d, 0x50, 0x55, 0x54, 0x41, 0x54, 0x49, 0x4f, + 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -// Domain separator - "SPM" -pub global DS_SPM: [u8; 64] = [ - 0x53, 0x50, 0x4d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "SHARE_ENCRYPTION" +pub global DS_SHARE_ENCRYPTION: [u8; 64] = [ + 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x45, 0x4e, 0x43, 0x52, 0x59, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -// Domain separator - "AGG_SHARES" -pub global DS_AGG_SHARES: [u8; 64] = [ - 0x41, 0x47, 0x47, 0x5f, 0x53, 0x48, 0x41, 0x52, 0x45, 0x53, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "PK_AGGREGATION" +pub global DS_PK_AGGREGATION: [u8; 64] = [ + 0x50, 0x4b, 0x5f, 0x41, 0x47, 0x47, 0x52, 0x45, 0x47, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -// Domain separator - "PK_AGG" -pub global DS_PK_AGG: [u8; 64] = [ - 0x50, 0x4b, 0x5f, 0x41, 0x47, 0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "CIPHERTEXT" +pub global DS_CIPHERTEXT: [u8; 64] = [ + 0x43, 0x49, 0x50, 0x48, 0x45, 0x52, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -// Domain separator - "AGGREGATION" -pub global DS_AGGREGATION: [u8; 64] = [ - 0x41, 0x47, 0x47, 0x52, 0x45, 0x47, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "AGGREGATED_SHARES" +pub global DS_AGGREGATED_SHARES: [u8; 64] = [ + 0x41, 0x47, 0x47, 0x52, 0x45, 0x47, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x53, 0x48, 0x41, 0x52, 0x45, + 0x53, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -// Domain separator - "CIPHERTEXT" -pub global DS_CIPHERTEXT: [u8; 64] = [ - 0x43, 0x49, 0x50, 0x48, 0x45, 0x52, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "RECURSIVE_AGGREGATION" +pub global DS_RECURSIVE_AGGREGATION: [u8; 64] = [ + 0x52, 0x45, 0x43, 0x55, 0x52, 0x53, 0x49, 0x56, 0x45, 0x5f, 0x41, 0x47, 0x47, 0x52, 0x45, 0x47, + 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -// Domain separator - "CLG_PK_TRBFV" -pub global DS_CLG_PK_TRBFV: [u8; 64] = [ - 0x43, 0x4c, 0x47, 0x5f, 0x50, 0x4b, 0x5f, 0x54, 0x52, 0x42, 0x46, 0x56, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "CLG_PK_GENERATION" +pub global DS_CLG_PK_GENERATION: [u8; 64] = [ + 0x43, 0x4c, 0x47, 0x5f, 0x50, 0x4b, 0x5f, 0x47, 0x45, 0x4e, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, + 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -// Domain separator - "CLG_ENC_BFV" -pub global DS_CLG_ENC_BFV: [u8; 64] = [ - 0x43, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x43, 0x5f, 0x42, 0x46, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "CLG_SHARE_ENCRYPTION" +pub global DS_CLG_SHARE_ENCRYPTION: [u8; 64] = [ + 0x43, 0x4c, 0x47, 0x5f, 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x45, 0x4e, 0x43, 0x52, 0x59, 0x50, + 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -// Domain separator - "CLG_GRECO" -pub global DS_CLG_GRECO: [u8; 64] = [ - 0x43, 0x4c, 0x47, 0x5f, 0x47, 0x52, 0x45, 0x43, 0x4f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "CLG_USER_DATA_ENCRYPTION" +pub global DS_CLG_USER_DATA_ENCRYPTION: [u8; 64] = [ + 0x43, 0x4c, 0x47, 0x5f, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x44, 0x41, 0x54, 0x41, 0x5f, 0x45, 0x4e, + 0x43, 0x52, 0x59, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -// Domain separator - "CLG_DEC_SHARE" -pub global DS_CLG_DEC_SHARE: [u8; 64] = [ - 0x43, 0x4c, 0x47, 0x5f, 0x44, 0x45, 0x43, 0x5f, 0x53, 0x48, 0x41, 0x52, 0x45, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +// Domain separator - "CLG_SHARE_DECRYPTION" +pub global DS_CLG_SHARE_DECRYPTION: [u8; 64] = [ + 0x43, 0x4c, 0x47, 0x5f, 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x44, 0x45, 0x43, 0x52, 0x59, 0x50, + 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; @@ -120,46 +120,63 @@ pub fn multiple_polynomial_payload( /// COMMITMENTS -pub fn compute_pk_bfv_commitment( +pub fn compute_dkg_pk_commitment( pk0: [Polynomial; L], pk1: [Polynomial; L], ) -> Field { let mut payload = multiple_polynomial_payload::(Vec::new(), pk0); payload = multiple_polynomial_payload::(payload, pk1); - compute_commitments(payload, DS_PK_BFV, [0x80000000 | payload.len(), 1]).get(0) + compute_commitments(payload, DS_PK, [0x80000000 | payload.len(), 1]).get(0) } -pub fn compute_pk_trbfv_commitment( +pub fn compute_threshold_pk_commitment( pk0: [Polynomial; L], pk1: [Polynomial; L], ) -> Field { let mut payload = multiple_polynomial_payload::(Vec::new(), pk0); payload = multiple_polynomial_payload::(payload, pk1); - compute_commitments(payload, DS_PK_TRBFV, [0x80000000 | payload.len(), 1]).get(0) + compute_commitments(payload, DS_PK_GENERATION, [0x80000000 | payload.len(), 1]).get(0) } -pub fn compute_secret_sk_commitment(sk: Polynomial) -> Field { +pub fn compute_share_computation_sk_commitment( + sk: Polynomial, +) -> Field { let mut payload = single_polynomial_payload::(Vec::new(), sk); - compute_commitments(payload, DS_SECRET, [0x80000000 | payload.len(), 1]).get(0) + compute_commitments( + payload, + DS_SHARE_COMPUTATION, + [0x80000000 | payload.len(), 1], + ) + .get(0) } -pub fn compute_secret_e_sm_commitment( +pub fn compute_share_computation_e_sm_commitment( e_sm: [Polynomial; L], ) -> Field { let mut payload = multiple_polynomial_payload::(Vec::new(), e_sm); - compute_commitments(payload, DS_SECRET, [0x80000000 | payload.len(), 1]).get(0) + compute_commitments( + payload, + DS_SHARE_COMPUTATION, + [0x80000000 | payload.len(), 1], + ) + .get(0) } -pub fn compute_spm_commitment_from_message( +pub fn compute_share_encryption_commitment_from_message( message: Polynomial, ) -> Field { let mut payload = single_polynomial_payload::(Vec::new(), message); - compute_commitments(payload, DS_SPM, [0x80000000 | payload.len(), 1]).get(0) + compute_commitments( + payload, + DS_SHARE_ENCRYPTION, + [0x80000000 | payload.len(), 1], + ) + .get(0) } -pub fn compute_spm_commitment_from_shares( +pub fn compute_share_encryption_commitment_from_shares( y: [[[Field; N_PARTIES + 1]; L]; N], party_idx: u32, mod_idx: u32, @@ -174,28 +191,43 @@ pub fn compute_spm_commitment_from_shares( agg_shares: [Polynomial; L], ) -> Field { let mut payload = multiple_polynomial_payload::(Vec::new(), agg_shares); - compute_commitments(payload, DS_AGG_SHARES, [0x80000000 | payload.len(), 1]).get(0) + compute_commitments( + payload, + DS_AGGREGATED_SHARES, + [0x80000000 | payload.len(), 1], + ) + .get(0) } -pub fn compute_pk_agg_commitment( +pub fn compute_pk_aggregation_commitment( pk0: [Polynomial; L], pk1: [Polynomial; L], ) -> Field { let mut payload = multiple_polynomial_payload::(Vec::new(), pk0); payload = multiple_polynomial_payload::(payload, pk1); - compute_commitments(payload, DS_PK_AGG, [0x80000000 | payload.len(), 1]).get(0) + compute_commitments(payload, DS_PK_AGGREGATION, [0x80000000 | payload.len(), 1]).get(0) } -pub fn compute_aggregation_commitment(payload: Vec) -> Field { - compute_safe(DS_AGGREGATION, payload, [0x80000000 | payload.len(), 1]).get(0) +pub fn compute_recursive_aggregation_commitment(payload: Vec) -> Field { + compute_safe( + DS_RECURSIVE_AGGREGATION, + payload, + [0x80000000 | payload.len(), 1], + ) + .get(0) } pub fn compute_ciphertext_commitment( @@ -210,33 +242,42 @@ pub fn compute_ciphertext_commitment( /// COMMITMENTS FOR CHALLENGES -pub fn compute_pk_trbfv_challenge(payload: Vec) -> Vec { +pub fn compute_threshold_pk_challenge(payload: Vec) -> Vec { compute_commitments( payload, - DS_CLG_PK_TRBFV, + DS_CLG_PK_GENERATION, [0x80000000 | payload.len(), 2 * L], ) } -pub fn compute_bfv_enc_challenge(payload: Vec) -> Vec { - compute_commitments(payload, DS_CLG_ENC_BFV, [0x80000000 | payload.len(), 2 * L]) +pub fn compute_share_encryption_challenge(payload: Vec) -> Vec { + compute_commitments( + payload, + DS_CLG_SHARE_ENCRYPTION, + [0x80000000 | payload.len(), 2 * L], + ) } -pub fn compute_greco_challenge_commitment( +pub fn compute_user_data_encryption_challenge_commitment( pk0is: [Polynomial; L], pk1is: [Polynomial; L], gammas_payload: Vec, pk_commitment: Field, ) -> Vec { - assert(compute_pk_agg_commitment::(pk0is, pk1is) == pk_commitment); + assert(compute_pk_aggregation_commitment::(pk0is, pk1is) == pk_commitment); compute_commitments( gammas_payload, - DS_CLG_GRECO, + DS_CLG_USER_DATA_ENCRYPTION, [0x80000000 | gammas_payload.len(), 2 * L], ) } -pub fn compute_dec_share_challenge(payload: Vec) -> Field { - compute_commitments(payload, DS_CLG_DEC_SHARE, [0x80000000 | payload.len(), 1]).get(0) +pub fn compute_threshold_share_decryption_challenge(payload: Vec) -> Field { + compute_commitments( + payload, + DS_CLG_SHARE_DECRYPTION, + [0x80000000 | payload.len(), 1], + ) + .get(0) } diff --git a/crates/bfv-client/src/client.rs b/crates/bfv-client/src/client.rs index 080733e02f..e8c5ab404f 100644 --- a/crates/bfv-client/src/client.rs +++ b/crates/bfv-client/src/client.rs @@ -7,7 +7,9 @@ use anyhow::{anyhow, Result}; use e3_fhe_params::build_bfv_params_arc; use e3_greco_helpers::{bfv_ciphertext_to_greco, bfv_public_key_to_greco}; -use e3_zk_helpers::commitments::{compute_ciphertext_commitment, compute_pk_agg_commitment}; +use e3_zk_helpers::commitments::{ + compute_ciphertext_commitment, compute_pk_aggregation_commitment, +}; use e3_zk_helpers::utils::calculate_bit_width; use fhe::bfv::{Ciphertext, Encoding, Plaintext, PublicKey}; use fhe::Error as FheError; @@ -147,7 +149,7 @@ pub fn compute_pk_commitment( let bit_pk = calculate_bit_width(&bounds.pk_bounds[0].to_string())?; let (pk0is, pk1is) = bfv_public_key_to_greco(&public_key, ¶ms); - let commitment_bigint = compute_pk_agg_commitment(&pk0is, &pk1is, bit_pk); + let commitment_bigint = compute_pk_aggregation_commitment(&pk0is, &pk1is, bit_pk); let bytes = commitment_bigint.to_bytes_be().1; @@ -209,7 +211,8 @@ pub fn compute_ct_commitment( #[cfg(test)] mod tests { - use e3_fhe_params::{build_bfv_params_from_set_arc, BfvParamSet, BfvPreset}; + use e3_fhe_params::DEFAULT_BFV_PRESET; + use e3_fhe_params::{build_bfv_params_from_set_arc, BfvParamSet}; use super::*; @@ -218,7 +221,7 @@ mod tests { use fhe::bfv::{Ciphertext, PublicKey, SecretKey}; use fhe_traits::{DeserializeParametrized, FheDecrypter, Serialize}; - let param_set: BfvParamSet = BfvPreset::InsecureThresholdBfv512.into(); + let param_set: BfvParamSet = DEFAULT_BFV_PRESET.into(); let params = build_bfv_params_from_set_arc(param_set); let degree = param_set.degree; let plaintext_modulus = param_set.plaintext_modulus; @@ -242,7 +245,7 @@ mod tests { use fhe::bfv::{Ciphertext, PublicKey, SecretKey}; use fhe_traits::{DeserializeParametrized, FheDecrypter, Serialize}; - let param_set: BfvParamSet = BfvPreset::InsecureThresholdBfv512.into(); + let param_set: BfvParamSet = DEFAULT_BFV_PRESET.into(); let params = build_bfv_params_from_set_arc(param_set); let degree = param_set.degree; let plaintext_modulus = param_set.plaintext_modulus; @@ -273,7 +276,7 @@ mod tests { use fhe::bfv::{Ciphertext, PublicKey, SecretKey}; use fhe_traits::{DeserializeParametrized, FheDecrypter, Serialize}; - let param_set: BfvParamSet = BfvPreset::InsecureThresholdBfv512.into(); + let param_set: BfvParamSet = DEFAULT_BFV_PRESET.into(); let params = build_bfv_params_from_set_arc(param_set); let degree = param_set.degree; let plaintext_modulus = param_set.plaintext_modulus; @@ -303,7 +306,7 @@ mod tests { use fhe::bfv::{Ciphertext, PublicKey, SecretKey}; use fhe_traits::{DeserializeParametrized, FheDecrypter, Serialize}; - let param_set: BfvParamSet = BfvPreset::InsecureThresholdBfv512.into(); + let param_set: BfvParamSet = DEFAULT_BFV_PRESET.into(); let params = build_bfv_params_from_set_arc(param_set); let degree = param_set.degree; let plaintext_modulus = param_set.plaintext_modulus; diff --git a/crates/config/Cargo.toml b/crates/config/Cargo.toml index 9cd1789bc1..649c33936d 100644 --- a/crates/config/Cargo.toml +++ b/crates/config/Cargo.toml @@ -11,6 +11,7 @@ alloy-primitives = { workspace = true } anyhow = { workspace = true } dirs = { workspace = true } e3-events = { workspace = true } +e3-fhe-params = { workspace = true } figment = { workspace = true } path-clean = { workspace = true } petname = { workspace = true } diff --git a/crates/fhe-params/README.md b/crates/fhe-params/README.md index a8532292ee..f3fe131427 100644 --- a/crates/fhe-params/README.md +++ b/crates/fhe-params/README.md @@ -29,10 +29,10 @@ system. It supports two main workflows: Pre-configured BFV parameter sets for PVSS (Public Verifiable Secret Sharing) protocol: -- **`BfvPreset::SecureThresholdBfv8192`** (default): Production-ready threshold BFV parameters +- **`BfvPreset::SecureThreshold8192`** (default): Production-ready threshold BFV parameters (degree 8192) - **`BfvPreset::SecureDkg8192`**: Production-ready DKG parameters (degree 8192) -- **`BfvPreset::InsecureThresholdBfv512`**: Testing-only threshold BFV parameters (degree 512) +- **`BfvPreset::InsecureThreshold512`**: Testing-only threshold BFV parameters (degree 512) - **`BfvPreset::InsecureDkg512`**: Testing-only DKG parameters (degree 512) In the PVSS protocol, two types of BFV parameters are needed: @@ -99,7 +99,7 @@ The `bfv_search()` function implements a search algorithm that: Returns the first feasible parameter set found, or an error if none exist. **Note**: Some resulting parameter sets from this search are hardcoded as presets in the -`presets.rs` file for production use (e.g., `BfvPreset::SecureThresholdBfv8192`). +`presets.rs` file for production use (e.g., `BfvPreset::SecureThreshold8192`). #### Search Result @@ -132,10 +132,10 @@ use std::sync::Arc; fn example() -> Result<(), e3_fhe_params::PresetError> { // Build threshold BFV parameters - let params = build_bfv_params_arc(BfvPreset::SecureThresholdBfv8192)?; + let params = build_bfv_params_arc(BfvPreset::SecureThreshold8192)?; // Build both threshold and DKG parameter pairs - let (threshold_params, dkg_params) = build_pair_for_preset(BfvPreset::SecureThresholdBfv8192)?; + let (threshold_params, dkg_params) = build_pair_for_preset(BfvPreset::SecureThreshold8192)?; Ok(()) } @@ -260,7 +260,7 @@ The CLI displays: use e3_fhe_params::{BfvPreset, build_bfv_params_arc, encode_bfv_params, decode_bfv_params, decode_bfv_params_arc}; // Build parameters from a preset -let params = build_bfv_params_arc(BfvPreset::SecureThresholdBfv8192)?; +let params = build_bfv_params_arc(BfvPreset::SecureThreshold8192)?; // Encode parameters to ABI bytes for smart contract use let encoded_bytes = encode_bfv_params(¶ms); diff --git a/crates/fhe-params/src/builder.rs b/crates/fhe-params/src/builder.rs index b4edeb617f..4936d1f591 100644 --- a/crates/fhe-params/src/builder.rs +++ b/crates/fhe-params/src/builder.rs @@ -14,8 +14,8 @@ pub fn build_pair_for_preset( preset: BfvPreset, ) -> Result<(Arc, Arc), PresetError> { match preset { - BfvPreset::InsecureThresholdBfv512 => { - let params_trbfv = BfvParametersBuilder::new() + BfvPreset::InsecureThreshold512 => { + let params_threshold = BfvParametersBuilder::new() .set_degree(insecure_512::DEGREE) .set_plaintext_modulus(insecure_512::threshold::PLAINTEXT_MODULUS) .set_moduli(insecure_512::threshold::MODULI) @@ -25,7 +25,7 @@ pub fn build_pair_for_preset( .build_arc() .unwrap(); - let params_bfv = BfvParametersBuilder::new() + let params_dkg = BfvParametersBuilder::new() .set_degree(insecure_512::DEGREE) .set_plaintext_modulus(insecure_512::dkg::PLAINTEXT_MODULUS) .set_moduli(insecure_512::dkg::MODULI) @@ -33,10 +33,10 @@ pub fn build_pair_for_preset( .build_arc() .unwrap(); - Ok((params_trbfv, params_bfv)) + Ok((params_threshold, params_dkg)) } - BfvPreset::SecureThresholdBfv8192 => { - let params_trbfv = BfvParametersBuilder::new() + BfvPreset::SecureThreshold8192 => { + let params_threshold = BfvParametersBuilder::new() .set_degree(secure_8192::DEGREE) .set_plaintext_modulus(secure_8192::threshold::PLAINTEXT_MODULUS) .set_moduli(secure_8192::threshold::MODULI) @@ -45,14 +45,14 @@ pub fn build_pair_for_preset( .build_arc() .unwrap(); - let params_bfv = BfvParametersBuilder::new() + let params_dkg = BfvParametersBuilder::new() .set_degree(secure_8192::DEGREE) - .set_plaintext_modulus(secure_8192::dkg::BFV_PLAINTEXT_MODULUS) - .set_moduli(secure_8192::dkg::BFV_MODULI) + .set_plaintext_modulus(secure_8192::dkg::PLAINTEXT_MODULUS) + .set_moduli(secure_8192::dkg::MODULI) .build_arc() .unwrap(); - Ok((params_trbfv, params_bfv)) + Ok((params_threshold, params_dkg)) } other => Err(PresetError::MissingPair(other.name())), } @@ -131,7 +131,7 @@ mod tests { use std::str::FromStr; #[test] - fn test_build_bfv_params_insecure_dkg() { + fn test_build_insecure_dkg_params() { // Test building BFV params using insecure DKG preset constants let degree = insecure_512::DEGREE; let plaintext_modulus = insecure_512::dkg::PLAINTEXT_MODULUS; @@ -144,31 +144,32 @@ mod tests { assert_eq!(params.variance(), defaults::VARIANCE); assert_eq!( params.get_error1_variance(), - &BigUint::from(defaults::ERROR1_VARIANCE) + &BigUint::from_str(insecure_512::dkg::ERROR1_VARIANCE).unwrap() ); } #[test] - fn test_build_bfv_params_arc_insecure_dkg() { + fn test_build_insecure_dkg_params_arc() { // Test building Arc using insecure DKG preset constants let degree = insecure_512::DEGREE; let plaintext_modulus = insecure_512::dkg::PLAINTEXT_MODULUS; let moduli = insecure_512::dkg::MODULI; let params = build_bfv_params_arc(degree, plaintext_modulus, moduli, None); + assert_eq!(params.degree(), degree); assert_eq!(params.plaintext(), plaintext_modulus); assert_eq!(params.moduli(), moduli); assert_eq!(params.variance(), defaults::VARIANCE); assert_eq!( params.get_error1_variance(), - &BigUint::from(defaults::ERROR1_VARIANCE) + &BigUint::from_str(insecure_512::dkg::ERROR1_VARIANCE).unwrap() ); } #[test] - fn test_build_trbfv_params_secure_threshold() { - // Test building TRBFV params using secure threshold preset constants + fn test_build_secure_threshold_params() { + // Test building threshold params using secure threshold preset constants let degree = secure_8192::DEGREE; let plaintext_modulus = secure_8192::threshold::PLAINTEXT_MODULUS; let moduli = secure_8192::threshold::MODULI; @@ -186,8 +187,8 @@ mod tests { } #[test] - fn test_build_trbfv_params_arc_secure_threshold() { - // Test building Arc using secure threshold preset constants + fn test_build_secure_threshold_params_arc() { + // Test building Arc using secure threshold preset constants let degree = secure_8192::DEGREE; let plaintext_modulus = secure_8192::threshold::PLAINTEXT_MODULUS; let moduli = secure_8192::threshold::MODULI; @@ -205,7 +206,7 @@ mod tests { } #[test] - fn test_build_bfv_params_from_set_insecure_dkg() { + fn test_build_insecure_dkg_params_from_set() { // Test building from BfvParamSet using insecure DKG preset let preset = BfvPreset::InsecureDkg512; let param_set = preset.into(); @@ -217,7 +218,7 @@ mod tests { } #[test] - fn test_build_bfv_params_from_set_arc_insecure_dkg() { + fn test_build_insecure_dkg_params_from_set_arc() { // Test building Arc from BfvParamSet using insecure DKG preset let preset = BfvPreset::InsecureDkg512; let param_set = preset.into(); @@ -229,9 +230,9 @@ mod tests { } #[test] - fn test_build_bfv_params_from_set_secure_threshold() { + fn test_build_secure_threshold_params_from_set() { // Test building from BfvParamSet using secure threshold preset - let preset = BfvPreset::SecureThresholdBfv8192; + let preset = BfvPreset::SecureThreshold8192; let param_set = preset.into(); let params = build_bfv_params_from_set(param_set); @@ -248,9 +249,9 @@ mod tests { } #[test] - fn test_build_bfv_params_from_set_arc_secure_threshold() { + fn test_build_secure_threshold_params_from_set_arc() { // Test building Arc from BfvParamSet using secure threshold preset - let preset = BfvPreset::SecureThresholdBfv8192; + let preset = BfvPreset::SecureThreshold8192; let param_set = preset.into(); let params = build_bfv_params_from_set_arc(param_set); diff --git a/crates/fhe-params/src/constants.rs b/crates/fhe-params/src/constants.rs index d2e4f5ed3f..ee35c7641c 100644 --- a/crates/fhe-params/src/constants.rs +++ b/crates/fhe-params/src/constants.rs @@ -14,24 +14,19 @@ pub mod insecure_512 { pub const DEGREE: usize = 512; pub const NUM_PARTIES: u128 = 5; - /// Threshold BFV (TRBFV) parameters + /// Threshold BFV parameters pub mod threshold { pub const PLAINTEXT_MODULUS: u64 = 10; pub const MODULI: &[u64] = &[0xffffee001, 0xffffc4001]; pub const ERROR1_VARIANCE: &str = "3"; pub const ERROR1_VARIANCE_BIGUINT: u32 = 3; - - /// Search defaults for insecure threshold BFV - pub const SEARCH_N: u128 = 5; - pub const SEARCH_K: u128 = 1000; - pub const SEARCH_Z: u128 = 1000; } /// DKG parameters pub mod dkg { pub const PLAINTEXT_MODULUS: u64 = 0xffffee001; pub const MODULI: &[u64] = &[0x7fffffffe0001]; - pub const ERROR1_VARIANCE: Option<&str> = None; + pub const ERROR1_VARIANCE: &str = "10"; pub const VARIANCE: u32 = 3; } } @@ -41,7 +36,7 @@ pub mod secure_8192 { pub const DEGREE: usize = 8192; pub const NUM_PARTIES: u128 = 100; - /// Threshold BFV (TRBFV) parameters + /// Threshold BFV parameters pub mod threshold { pub const PLAINTEXT_MODULUS: u64 = 100; pub const MODULI: &[u64] = &[ @@ -51,30 +46,26 @@ pub mod secure_8192 { 0x00100000006e0001, ]; pub const ERROR1_VARIANCE: &str = - "1004336277661868922213726307713258317841382576849282939643494400"; - - /// Search defaults for secure threshold BFV - pub const SEARCH_N: u128 = 100; - pub const SEARCH_K: u128 = 100; - pub const SEARCH_Z: u128 = 100; + "523091811282223396986315785267318739368948664428268466733056000"; } /// DKG parameters pub mod dkg { - pub const PLAINTEXT_MODULUS: u64 = 144115188075855872; - pub const MODULI: &[u64] = &[288230376173076481, 288230376167047169]; - pub const ERROR1_VARIANCE: Option<&str> = None; - - /// BFV plaintext modulus for pair building - pub const BFV_PLAINTEXT_MODULUS: u64 = 18014398509481984; - pub const BFV_MODULI: &[u64] = &[0x0100000002a20001, 0x0100000001760001]; + pub const PLAINTEXT_MODULUS: u64 = 18014398509481984; + pub const MODULI: &[u64] = &[0x0100000002a20001, 0x0100000001760001]; + pub const ERROR1_VARIANCE: &str = "10"; } } /// Common search defaults shared across presets +/// These are for the SecureThreshold8192 preset. +/// The InsecureThreshold512 preset has been generated manually. pub mod search_defaults { pub const B: u128 = 20; pub const B_CHI: u128 = 1; + pub const SEARCH_N: u128 = 100; + pub const SEARCH_K: u128 = 100; + pub const SEARCH_Z: u128 = 100; } /// Default values for BFV parameters @@ -83,7 +74,6 @@ pub mod defaults { /// This is the standard default variance (and error1_variance) used in BFV /// when variance is not specified. Both variance() and error1_variance default to this value. pub const VARIANCE: usize = 10; - pub const ERROR1_VARIANCE: u32 = 10; /// Default insecure security parameter (λ). pub const DEFAULT_INSECURE_LAMBDA: usize = 2; diff --git a/crates/fhe-params/src/encoding.rs b/crates/fhe-params/src/encoding.rs index 0ad4b15633..f2e0a5dc3b 100644 --- a/crates/fhe-params/src/encoding.rs +++ b/crates/fhe-params/src/encoding.rs @@ -158,15 +158,16 @@ pub fn decode_bfv_params_arc(bytes: &[u8]) -> Result, Encodin #[cfg(test)] mod tests { use super::*; - use crate::constants::{defaults, insecure_512, secure_8192}; + use crate::constants::{insecure_512, secure_8192}; use crate::presets::BfvPreset; + use std::str::FromStr; #[cfg(feature = "abi-encoding")] #[test] fn test_encode_decode_roundtrip_preset() { use crate::presets::BfvParamSet; - let preset = BfvPreset::SecureThresholdBfv8192; + let preset = BfvPreset::SecureThreshold8192; let param_set: BfvParamSet = preset.into(); let params = param_set.build(); @@ -199,19 +200,19 @@ mod tests { // Verify error1_variance is preserved (defaults to 10 for standard BFV) assert_eq!( decoded.get_error1_variance(), - &num_bigint::BigUint::from(defaults::ERROR1_VARIANCE) + &num_bigint::BigUint::from_str(insecure_512::dkg::ERROR1_VARIANCE).unwrap() ); assert_eq!(decoded.get_error1_variance(), params.get_error1_variance()); } #[cfg(feature = "abi-encoding")] #[test] - fn test_encode_decode_roundtrip_trbfv() { + fn test_encode_decode_roundtrip_threshold() { use crate::builder::build_bfv_params; use num_bigint::BigUint; use std::str::FromStr; - // Use secure threshold preset constants for testing TRBFV parameter encoding + // Use secure threshold preset constants for testing threshold parameter encoding let degree = secure_8192::DEGREE; let plaintext_modulus = secure_8192::threshold::PLAINTEXT_MODULUS; let moduli = secure_8192::threshold::MODULI; @@ -224,7 +225,7 @@ mod tests { assert_eq!(decoded.degree(), degree); assert_eq!(decoded.plaintext(), plaintext_modulus); assert_eq!(decoded.moduli(), moduli); - // Verify error1_variance is preserved for trBFV + // Verify error1_variance is preserved for threshold assert_eq!( decoded.get_error1_variance(), &BigUint::from_str(error1_variance).unwrap() @@ -236,7 +237,7 @@ mod tests { fn test_encode_decode_arc_roundtrip() { use crate::presets::BfvParamSet; - let preset = BfvPreset::InsecureThresholdBfv512; + let preset = BfvPreset::InsecureThreshold512; let param_set: BfvParamSet = preset.into(); let params = param_set.build_arc(); @@ -270,7 +271,7 @@ mod tests { // Verify error1_variance is preserved (defaults to 10 for standard BFV) assert_eq!( decoded.get_error1_variance(), - &num_bigint::BigUint::from(defaults::ERROR1_VARIANCE) + &num_bigint::BigUint::from_str(insecure_512::dkg::ERROR1_VARIANCE).unwrap() ); assert_eq!(decoded.get_error1_variance(), params.get_error1_variance()); } @@ -280,7 +281,7 @@ mod tests { fn test_encode_deterministic() { use crate::presets::BfvParamSet; - let preset = BfvPreset::SecureThresholdBfv8192; + let preset = BfvPreset::SecureThreshold8192; let param_set: BfvParamSet = preset.into(); let params = param_set.build(); diff --git a/crates/fhe-params/src/lib.rs b/crates/fhe-params/src/lib.rs index 3625b066e1..8ec73e8a9f 100644 --- a/crates/fhe-params/src/lib.rs +++ b/crates/fhe-params/src/lib.rs @@ -20,5 +20,6 @@ pub use builder::{ #[cfg(feature = "abi-encoding")] pub use encoding::{decode_bfv_params, decode_bfv_params_arc, encode_bfv_params, EncodingError}; pub use presets::{ - BfvParamSet, BfvPreset, ParameterType, PresetError, PresetMetadata, PresetSearchDefaults, + default_param_set, BfvParamSet, BfvPreset, ParameterType, PresetError, PresetMetadata, + PresetSearchDefaults, DEFAULT_BFV_PRESET, }; diff --git a/crates/fhe-params/src/presets.rs b/crates/fhe-params/src/presets.rs index e3f1d9e5e6..e5af7d655f 100644 --- a/crates/fhe-params/src/presets.rs +++ b/crates/fhe-params/src/presets.rs @@ -10,7 +10,7 @@ use crate::constants::{ defaults::DEFAULT_INSECURE_LAMBDA, defaults::DEFAULT_SECURE_LAMBDA, insecure_512, - search_defaults::{B, B_CHI}, + search_defaults::{B, B_CHI, SEARCH_K, SEARCH_N, SEARCH_Z}, secure_8192, }; use std::sync::Arc; @@ -36,7 +36,7 @@ pub enum BfvPreset { /// /// Used for threshold encryption (GRECO) and threshold decryption operations. /// These parameters define the threshold public key that data providers use to encrypt inputs. - InsecureThresholdBfv512, + InsecureThreshold512, /// Insecure DKG parameters (degree 512) - DO NOT USE IN PRODUCTION /// /// Used during Phase 0-1 (BFV Key Setup and DKG) where each ciphernode generates @@ -48,7 +48,7 @@ pub enum BfvPreset { /// Used for threshold encryption (GRECO) and threshold decryption operations. /// These parameters define the threshold public key that data providers use to encrypt inputs. #[default] - SecureThresholdBfv8192, + SecureThreshold8192, /// Secure DKG parameters (degree 8192) - PRODUCTION READY /// /// Used during Phase 0-1 (BFV Key Setup and DKG) where each ciphernode generates @@ -57,6 +57,21 @@ pub enum BfvPreset { SecureDkg8192, } +/// Default BFV preset used across the workspace. +/// +/// This is the canonical preset for production (secure threshold 8192). +/// Use this constant when you need a single default rather than +/// hardcoding a specific preset. For the corresponding parameter set, +/// use [`default_param_set()`] or `BfvParamSet::from(DEFAULT_BFV_PRESET)`. +pub const DEFAULT_BFV_PRESET: BfvPreset = BfvPreset::InsecureThreshold512; + +/// Returns the default BFV parameter set (same as `DEFAULT_BFV_PRESET` converted to [`BfvParamSet`]). +/// +/// Convenience for crates that need a [`BfvParamSet`] without depending on config. +pub fn default_param_set() -> BfvParamSet { + DEFAULT_BFV_PRESET.into() +} + /// Parameter type for BFV presets #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] pub enum ParameterType { @@ -72,7 +87,7 @@ pub enum ParameterType { /// its security properties and basic parameter dimensions. #[derive(Debug, Clone, Copy)] pub struct PresetMetadata { - /// The canonical name of the preset (e.g., "INSECURE_THRESHOLD_BFV_512") + /// The canonical name of the preset (e.g., "INSECURE_THRESHOLD_512") pub name: &'static str, /// LWE dimension (d) - the degree of the polynomial ring, must be a power of 2 /// @@ -89,7 +104,7 @@ pub struct PresetMetadata { /// Higher values provide stronger security guarantees but may require /// larger parameters. Typically 80 for secure presets, 2 for insecure. pub lambda: usize, - /// Parameter type (BFV / trBFV). + /// Parameter type (DKG (BFV) / Threshold (trBFV)). pub parameter_type: ParameterType, } @@ -137,7 +152,7 @@ pub struct PresetSearchDefaults { pub enum PresetError { #[error("Unknown preset: {0}")] UnknownPreset(String), - #[error("Preset does not define a TRBFV/BFV pair: {0}")] + #[error("Preset does not define a Threshold (trBFV) / DKG (BFV) pair: {0}")] MissingPair(&'static str), } @@ -184,23 +199,23 @@ impl BfvParamSet { impl BfvPreset { pub const ALL: [BfvPreset; 4] = [ - BfvPreset::InsecureThresholdBfv512, + BfvPreset::InsecureThreshold512, BfvPreset::InsecureDkg512, - BfvPreset::SecureThresholdBfv8192, + BfvPreset::SecureThreshold8192, BfvPreset::SecureDkg8192, ]; pub const PAIR_PRESETS: [BfvPreset; 2] = [ - BfvPreset::InsecureThresholdBfv512, - BfvPreset::SecureThresholdBfv8192, + BfvPreset::InsecureThreshold512, + BfvPreset::SecureThreshold8192, ]; pub fn from_name(name: &str) -> Result { let normalized = name.trim().to_ascii_uppercase(); match normalized.as_str() { - "INSECURE_THRESHOLD_BFV_512" => Ok(Self::InsecureThresholdBfv512), + "INSECURE_THRESHOLD_512" => Ok(Self::InsecureThreshold512), "INSECURE_DKG_512" => Ok(Self::InsecureDkg512), - "SECURE_THRESHOLD_BFV_8192" => Ok(Self::SecureThresholdBfv8192), + "SECURE_THRESHOLD_8192" => Ok(Self::SecureThreshold8192), "SECURE_DKG_8192" => Ok(Self::SecureDkg8192), _ => Err(PresetError::UnknownPreset(name.to_string())), } @@ -208,9 +223,9 @@ impl BfvPreset { pub fn name(&self) -> &'static str { match self { - BfvPreset::InsecureThresholdBfv512 => "INSECURE_THRESHOLD_BFV_512", + BfvPreset::InsecureThreshold512 => "INSECURE_THRESHOLD_512", BfvPreset::InsecureDkg512 => "INSECURE_DKG_512", - BfvPreset::SecureThresholdBfv8192 => "SECURE_THRESHOLD_BFV_8192", + BfvPreset::SecureThreshold8192 => "SECURE_THRESHOLD_8192", BfvPreset::SecureDkg8192 => "SECURE_DKG_8192", } } @@ -227,9 +242,22 @@ impl BfvPreset { Self::PAIR_PRESETS.contains(self) } + /// Returns the DKG preset that pairs with this threshold preset. + /// + /// Used when you have a threshold preset (e.g. for encryption/decryption) and need + /// the corresponding DKG parameters (e.g. for share encryption during key generation). + /// Returns `None` when called on a DKG preset. + pub fn dkg_counterpart(self) -> Option { + match self { + BfvPreset::InsecureThreshold512 => Some(BfvPreset::InsecureDkg512), + BfvPreset::SecureThreshold8192 => Some(BfvPreset::SecureDkg8192), + BfvPreset::InsecureDkg512 | BfvPreset::SecureDkg8192 => None, + } + } + pub fn metadata(&self) -> PresetMetadata { match self { - BfvPreset::InsecureThresholdBfv512 => PresetMetadata { + BfvPreset::InsecureThreshold512 => PresetMetadata { name: self.name(), degree: insecure_512::DEGREE, num_parties: insecure_512::NUM_PARTIES, @@ -243,7 +271,7 @@ impl BfvPreset { lambda: DEFAULT_INSECURE_LAMBDA, parameter_type: ParameterType::DKG, }, - BfvPreset::SecureThresholdBfv8192 => PresetMetadata { + BfvPreset::SecureThreshold8192 => PresetMetadata { name: self.name(), degree: secure_8192::DEGREE, num_parties: secure_8192::NUM_PARTIES, @@ -262,18 +290,18 @@ impl BfvPreset { pub fn search_defaults(&self) -> Option { match self { - BfvPreset::InsecureThresholdBfv512 => Some(PresetSearchDefaults { - n: insecure_512::threshold::SEARCH_N, - k: insecure_512::threshold::SEARCH_K, - z: insecure_512::threshold::SEARCH_Z, + BfvPreset::InsecureThreshold512 => Some(PresetSearchDefaults { + n: SEARCH_N, + k: SEARCH_K, + z: SEARCH_Z, lambda: DEFAULT_INSECURE_LAMBDA as u32, b: B, b_chi: B_CHI, }), - BfvPreset::SecureThresholdBfv8192 => Some(PresetSearchDefaults { - n: secure_8192::threshold::SEARCH_N, - k: secure_8192::threshold::SEARCH_K, - z: secure_8192::threshold::SEARCH_Z, + BfvPreset::SecureThreshold8192 => Some(PresetSearchDefaults { + n: SEARCH_N, + k: SEARCH_K, + z: SEARCH_Z, lambda: DEFAULT_SECURE_LAMBDA as u32, b: B, b_chi: B_CHI, @@ -290,7 +318,7 @@ impl BfvPreset { impl From for BfvParamSet { fn from(value: BfvPreset) -> Self { match value { - BfvPreset::InsecureThresholdBfv512 => BfvParamSet { + BfvPreset::InsecureThreshold512 => BfvParamSet { degree: insecure_512::DEGREE, moduli: insecure_512::threshold::MODULI, plaintext_modulus: insecure_512::threshold::PLAINTEXT_MODULUS, @@ -300,9 +328,9 @@ impl From for BfvParamSet { degree: insecure_512::DEGREE, moduli: insecure_512::dkg::MODULI, plaintext_modulus: insecure_512::dkg::PLAINTEXT_MODULUS, - error1_variance: insecure_512::dkg::ERROR1_VARIANCE, + error1_variance: Some(insecure_512::dkg::ERROR1_VARIANCE), }, - BfvPreset::SecureThresholdBfv8192 => BfvParamSet { + BfvPreset::SecureThreshold8192 => BfvParamSet { degree: secure_8192::DEGREE, plaintext_modulus: secure_8192::threshold::PLAINTEXT_MODULUS, moduli: secure_8192::threshold::MODULI, @@ -312,7 +340,7 @@ impl From for BfvParamSet { degree: secure_8192::DEGREE, plaintext_modulus: secure_8192::dkg::PLAINTEXT_MODULUS, moduli: secure_8192::dkg::MODULI, - error1_variance: secure_8192::dkg::ERROR1_VARIANCE, + error1_variance: Some(secure_8192::dkg::ERROR1_VARIANCE), }, } } @@ -333,24 +361,27 @@ mod tests { #[test] fn build_pair_matches_expected_params() { - let (trbfv, bfv) = BfvPreset::InsecureThresholdBfv512.build_pair().unwrap(); - assert_eq!(trbfv.degree(), insecure_512::DEGREE); + let (threshold, dkg) = BfvPreset::InsecureThreshold512.build_pair().unwrap(); + assert_eq!(threshold.degree(), insecure_512::DEGREE); assert_eq!( - trbfv.plaintext(), + threshold.plaintext(), insecure_512::threshold::PLAINTEXT_MODULUS ); - assert_eq!(trbfv.moduli(), insecure_512::threshold::MODULI); - assert_eq!(bfv.degree(), insecure_512::DEGREE); - assert_eq!(bfv.plaintext(), insecure_512::dkg::PLAINTEXT_MODULUS); - assert_eq!(bfv.moduli(), insecure_512::dkg::MODULI); - - let (trbfv, bfv) = BfvPreset::SecureThresholdBfv8192.build_pair().unwrap(); - assert_eq!(trbfv.degree(), secure_8192::DEGREE); - assert_eq!(trbfv.plaintext(), secure_8192::threshold::PLAINTEXT_MODULUS); - assert_eq!(trbfv.moduli(), secure_8192::threshold::MODULI); - assert_eq!(bfv.degree(), secure_8192::DEGREE); - assert_eq!(bfv.plaintext(), secure_8192::dkg::BFV_PLAINTEXT_MODULUS); - assert_eq!(bfv.moduli(), secure_8192::dkg::BFV_MODULI); + assert_eq!(threshold.moduli(), insecure_512::threshold::MODULI); + assert_eq!(dkg.degree(), insecure_512::DEGREE); + assert_eq!(dkg.plaintext(), insecure_512::dkg::PLAINTEXT_MODULUS); + assert_eq!(dkg.moduli(), insecure_512::dkg::MODULI); + + let (threshold, dkg) = BfvPreset::SecureThreshold8192.build_pair().unwrap(); + assert_eq!(threshold.degree(), secure_8192::DEGREE); + assert_eq!( + threshold.plaintext(), + secure_8192::threshold::PLAINTEXT_MODULUS + ); + assert_eq!(threshold.moduli(), secure_8192::threshold::MODULI); + assert_eq!(dkg.degree(), secure_8192::DEGREE); + assert_eq!(dkg.plaintext(), secure_8192::dkg::PLAINTEXT_MODULUS); + assert_eq!(dkg.moduli(), secure_8192::dkg::MODULI); } #[test] @@ -384,13 +415,13 @@ mod tests { #[test] fn test_metadata_values() { - let insecure = BfvPreset::InsecureThresholdBfv512; + let insecure = BfvPreset::InsecureThreshold512; let metadata = insecure.metadata(); assert_eq!(metadata.degree, insecure_512::DEGREE); assert_eq!(metadata.num_parties, insecure_512::NUM_PARTIES); assert_eq!(metadata.lambda, DEFAULT_INSECURE_LAMBDA); - let secure = BfvPreset::SecureThresholdBfv8192; + let secure = BfvPreset::SecureThreshold8192; let metadata = secure.metadata(); assert_eq!(metadata.degree, secure_8192::DEGREE); assert_eq!(metadata.num_parties, secure_8192::NUM_PARTIES); @@ -399,18 +430,18 @@ mod tests { #[test] fn test_search_defaults() { - let preset = BfvPreset::InsecureThresholdBfv512; + let preset = BfvPreset::InsecureThreshold512; let defaults = preset.search_defaults().unwrap(); - assert_eq!(defaults.n, insecure_512::threshold::SEARCH_N); - assert_eq!(defaults.k, insecure_512::threshold::SEARCH_K); - assert_eq!(defaults.z, insecure_512::threshold::SEARCH_Z); + assert_eq!(defaults.n, SEARCH_N); + assert_eq!(defaults.k, SEARCH_K); + assert_eq!(defaults.z, SEARCH_Z); assert_eq!(defaults.lambda, DEFAULT_INSECURE_LAMBDA as u32); - let preset = BfvPreset::SecureThresholdBfv8192; + let preset = BfvPreset::SecureThreshold8192; let defaults = preset.search_defaults().unwrap(); - assert_eq!(defaults.n, secure_8192::threshold::SEARCH_N); - assert_eq!(defaults.k, secure_8192::threshold::SEARCH_K); - assert_eq!(defaults.z, secure_8192::threshold::SEARCH_Z); + assert_eq!(defaults.n, SEARCH_N); + assert_eq!(defaults.k, SEARCH_K); + assert_eq!(defaults.z, SEARCH_Z); assert_eq!(defaults.lambda, DEFAULT_SECURE_LAMBDA as u32); // DKG presets don't have search defaults diff --git a/crates/fhe-params/src/search/bfv.rs b/crates/fhe-params/src/search/bfv.rs index 1b3aaeb872..8cc66be28e 100644 --- a/crates/fhe-params/src/search/bfv.rs +++ b/crates/fhe-params/src/search/bfv.rs @@ -86,7 +86,7 @@ impl BfvSearchResult { /// Returns the first feasible parameter set found, or an error if none exist. /// /// Note: Some resulting parameter sets from this search are hardcoded as presets -/// in the `presets.rs` file for production use (e.g., `BfvPreset::SecureThresholdBfv8192`). +/// in the `presets.rs` file for production use (e.g., `BfvPreset::SecureThreshold8192`). pub fn bfv_search(bfv_search_config: &BfvSearchConfig) -> BfvParamsResult { let prime_items = build_prime_items(); diff --git a/crates/greco-helpers/src/lib.rs b/crates/greco-helpers/src/lib.rs index 92277ab372..c3760b5fc5 100644 --- a/crates/greco-helpers/src/lib.rs +++ b/crates/greco-helpers/src/lib.rs @@ -170,7 +170,8 @@ pub fn bfv_public_key_to_greco( #[cfg(test)] mod tests { use super::*; - use e3_fhe_params::{BfvParamSet, BfvPreset}; + use e3_fhe_params::BfvParamSet; + use e3_fhe_params::DEFAULT_BFV_PRESET; use e3_zk_helpers::utils::calculate_bit_width; use fhe::bfv::{Encoding, Plaintext, PublicKey, SecretKey}; use fhe_traits::FheEncoder; @@ -180,7 +181,7 @@ mod tests { #[test] fn test_bfv_public_key_to_greco() { - let params = BfvParamSet::from(BfvPreset::InsecureThresholdBfv512).build_arc(); + let params = BfvParamSet::from(DEFAULT_BFV_PRESET).build_arc(); let mut rng = thread_rng(); let sk = SecretKey::random(¶ms, &mut rng); @@ -267,7 +268,7 @@ mod tests { #[test] fn test_bfv_ciphertext_to_greco() { - let params = BfvParamSet::from(BfvPreset::InsecureThresholdBfv512).build_arc(); + let params = BfvParamSet::from(DEFAULT_BFV_PRESET).build_arc(); let mut rng = thread_rng(); let sk = SecretKey::random(¶ms, &mut rng); diff --git a/crates/indexer/tests/integration.rs b/crates/indexer/tests/integration.rs index 3ba6d8e762..bd6d1be158 100644 --- a/crates/indexer/tests/integration.rs +++ b/crates/indexer/tests/integration.rs @@ -11,6 +11,7 @@ use alloy::{ }; use e3_bfv_client::compute_pk_commitment; use e3_evm_helpers::contracts::ReadOnly; +use e3_fhe_params::DEFAULT_BFV_PRESET; use e3_fhe_params::{build_bfv_params_from_set_arc, BfvPreset}; use e3_indexer::{DataStore, EnclaveIndexer, InMemoryStore}; use eyre::Result; @@ -44,7 +45,7 @@ async fn test_indexer() -> Result<()> { const THRESHOLD: u64 = 10; const INDEXER_DELAY_MS: u64 = 10; - let param_set = BfvPreset::InsecureThresholdBfv512.into(); + let param_set = DEFAULT_BFV_PRESET.into(); let params = build_bfv_params_from_set_arc(param_set); let ( diff --git a/crates/pvss/src/circuits/pk_bfv/codegen.rs b/crates/pvss/src/circuits/pk_bfv/codegen.rs index 151403143e..da8d920d0c 100644 --- a/crates/pvss/src/circuits/pk_bfv/codegen.rs +++ b/crates/pvss/src/circuits/pk_bfv/codegen.rs @@ -123,12 +123,13 @@ pub fn write_artifacts( mod tests { use super::*; use crate::sample; - use e3_fhe_params::{BfvParamSet, BfvPreset}; + use e3_fhe_params::BfvParamSet; + use e3_fhe_params::DEFAULT_BFV_PRESET; use tempfile::TempDir; #[test] fn test_toml_generation_and_structure() { - let preset = BfvPreset::InsecureThresholdBfv512; + let preset = DEFAULT_BFV_PRESET; let params = BfvParamSet::from(preset).build_arc(); let sample = sample::generate_sample(¶ms); let artifacts = codegen(preset, sample.public_key).unwrap(); diff --git a/crates/pvss/src/circuits/pk_bfv/computation.rs b/crates/pvss/src/circuits/pk_bfv/computation.rs index 5fc6b6d2e7..0df2c0e890 100644 --- a/crates/pvss/src/circuits/pk_bfv/computation.rs +++ b/crates/pvss/src/circuits/pk_bfv/computation.rs @@ -172,11 +172,12 @@ mod tests { use crate::sample::generate_sample; use crate::traits::ConvertToJson; use crate::traits::ReduceToZkpModulus; - use e3_fhe_params::{BfvParamSet, BfvPreset}; + use e3_fhe_params::BfvParamSet; + use e3_fhe_params::DEFAULT_BFV_PRESET; #[test] fn test_bound_and_bits_computation_consistency() { - let params = BfvParamSet::from(BfvPreset::InsecureThresholdBfv512).build_arc(); + let params = BfvParamSet::from(DEFAULT_BFV_PRESET).build_arc(); let bounds = Bounds::compute(¶ms, &()).unwrap(); let bits = Bits::compute(¶ms, &bounds).unwrap(); let expected_bits = calculate_bit_width(&bounds.pk_bound.to_string()).unwrap(); @@ -187,7 +188,7 @@ mod tests { #[test] fn test_witness_reduction_and_json_roundtrip() { - let params = BfvParamSet::from(BfvPreset::InsecureThresholdBfv512).build_arc(); + let params = BfvParamSet::from(DEFAULT_BFV_PRESET).build_arc(); let encryption_data = generate_sample(¶ms); let witness = Witness::compute(¶ms, &encryption_data.public_key).unwrap(); let zkp_reduced = witness.reduce_to_zkp_modulus(); @@ -200,7 +201,7 @@ mod tests { #[test] fn test_constants_json_roundtrip() { - let params = BfvParamSet::from(BfvPreset::InsecureThresholdBfv512).build_arc(); + let params = BfvParamSet::from(DEFAULT_BFV_PRESET).build_arc(); let constants = Constants::compute(¶ms, &()).unwrap(); let json = constants.convert_to_json().unwrap(); diff --git a/crates/pvss/src/sample.rs b/crates/pvss/src/sample.rs index 6d89aa0fd9..15a1992f1a 100644 --- a/crates/pvss/src/sample.rs +++ b/crates/pvss/src/sample.rs @@ -21,11 +21,12 @@ pub fn generate_sample(params: &Arc) -> Sample { #[cfg(test)] mod tests { use super::*; - use e3_fhe_params::{BfvParamSet, BfvPreset}; + use e3_fhe_params::BfvParamSet; + use e3_fhe_params::DEFAULT_BFV_PRESET; #[test] fn test_generate_sample() { - let params = BfvParamSet::from(BfvPreset::InsecureThresholdBfv512).build_arc(); + let params = BfvParamSet::from(DEFAULT_BFV_PRESET).build_arc(); let sample = generate_sample(¶ms); assert_eq!(sample.public_key.c.c.len(), 2); diff --git a/crates/pvss/src/utils.rs b/crates/pvss/src/utils.rs index df55859972..652855e5d3 100644 --- a/crates/pvss/src/utils.rs +++ b/crates/pvss/src/utils.rs @@ -33,7 +33,7 @@ pub fn get_security_level(lambda: usize) -> SecurityLevel { pub fn generate_wrapper(n_recursive_proofs: usize, n_public_inputs: usize) -> Wrapper { format!( r#"use bb_proof_verification::{{UltraHonkProof, UltraHonkVerificationKey, verify_ultrahonk_proof}}; -use lib::math::commitments::compute_aggregation_commitment; +use lib::math::commitments::compute_recursive_aggregation_commitment; // Number of proofs. pub global N_PROOFS: u32 = {}; @@ -58,7 +58,7 @@ fn main( }} }} - compute_aggregation_commitment(aggregated_public_inputs) + compute_recursive_aggregation_commitment(aggregated_public_inputs) }} "#, n_recursive_proofs, n_public_inputs diff --git a/crates/support/host/src/bin/profile_risc0.rs b/crates/support/host/src/bin/profile_risc0.rs index 584032acb5..a3050df919 100644 --- a/crates/support/host/src/bin/profile_risc0.rs +++ b/crates/support/host/src/bin/profile_risc0.rs @@ -4,8 +4,9 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -use e3_fhe_params::{build_bfv_params_from_set_arc, encode_bfv_params, BfvPreset}; use e3_compute_provider::FHEInputs; +use e3_fhe_params::DEFAULT_BFV_PRESET; +use e3_fhe_params::{build_bfv_params_from_set_arc, encode_bfv_params}; use e3_support_host::run_risc0_compute; use fhe::bfv::{Encoding, Plaintext, PublicKey, SecretKey}; use fhe_traits::{FheEncoder, FheEncrypter, Serialize}; @@ -15,7 +16,7 @@ fn main() { println!("Starting RISC0 profiling with mock ciphertexts..."); // Use InsecureThresholdBfv512 parameter set - let param_set = BfvPreset::InsecureThresholdBfv512.into(); + let param_set = DEFAULT_BFV_PRESET.into(); let params = build_bfv_params_from_set_arc(param_set); println!( diff --git a/crates/test-helpers/src/bin/fake_encrypt.rs b/crates/test-helpers/src/bin/fake_encrypt.rs index 8031bc38ef..aa1999cb21 100644 --- a/crates/test-helpers/src/bin/fake_encrypt.rs +++ b/crates/test-helpers/src/bin/fake_encrypt.rs @@ -6,7 +6,8 @@ // This is a test script designed to encrypt some fixed data to a fhe public key use clap::Parser; -use e3_fhe_params::{build_bfv_params_from_set_arc, decode_bfv_params_arc, BfvPreset}; +use e3_fhe_params::DEFAULT_BFV_PRESET; +use e3_fhe_params::{build_bfv_params_from_set_arc, decode_bfv_params_arc}; use fhe::bfv::{Encoding, Plaintext, PublicKey}; use fhe_traits::{DeserializeParametrized, FheEncoder, FheEncrypter, Serialize}; use rand::SeedableRng; @@ -53,7 +54,7 @@ fn main() -> Result<(), Box> { let params = if let Some(params_bytes) = args.params { decode_bfv_params_arc(¶ms_bytes.0).expect("Failed to decode BFV params") } else { - build_bfv_params_from_set_arc(BfvPreset::InsecureThresholdBfv512.into()) + build_bfv_params_from_set_arc(DEFAULT_BFV_PRESET.into()) }; let pubkey = PublicKey::from_bytes(&bytes, ¶ms)?; let raw_plaintext = args.plaintext; diff --git a/crates/test-helpers/src/lib.rs b/crates/test-helpers/src/lib.rs index bd8c2c0068..8d38c7b8f4 100644 --- a/crates/test-helpers/src/lib.rs +++ b/crates/test-helpers/src/lib.rs @@ -19,7 +19,8 @@ use e3_events::{ EventPublisher, EventType, HistoryCollector, Seed, Subscribe, }; use e3_fhe::{create_crp, setup_crp_params, ParamsWithCrp}; -use e3_fhe_params::{BfvParamSet, BfvPreset}; +use e3_fhe_params::BfvParamSet; +use e3_fhe_params::DEFAULT_BFV_PRESET; use e3_net::{DocumentPublisher, NetEventTranslator}; use e3_utils::SharedRng; use fhe::bfv::{BfvParameters, Ciphertext, Encoding, Plaintext, PublicKey}; @@ -91,7 +92,7 @@ pub fn get_common_setup( let rng = create_shared_rng_from_u64(42); let seed = create_seed_from_u64(123); - let param_set = param_set.unwrap_or(BfvPreset::InsecureThresholdBfv512.into()); + let param_set = param_set.unwrap_or(DEFAULT_BFV_PRESET.into()); let degree = param_set.degree; let plaintext_modulus = param_set.plaintext_modulus; let moduli = param_set.moduli; diff --git a/crates/tests/tests/integration.rs b/crates/tests/tests/integration.rs index 90f268185e..8ea0091a40 100644 --- a/crates/tests/tests/integration.rs +++ b/crates/tests/tests/integration.rs @@ -15,7 +15,8 @@ use e3_events::{ E3Requested, E3id, EnclaveEvent, EnclaveEventData, OperatorActivationChanged, PlaintextAggregated, Seed, TakeEvents, TicketBalanceUpdated, }; -use e3_fhe_params::{encode_bfv_params, BfvParamSet, BfvPreset}; +use e3_fhe_params::DEFAULT_BFV_PRESET; +use e3_fhe_params::{encode_bfv_params, BfvParamSet}; use e3_multithread::{Multithread, MultithreadReport, ToReport}; use e3_net::events::{GossipData, NetEvent}; use e3_net::NetEventTranslator; @@ -129,7 +130,7 @@ async fn test_trbfv_actor() -> Result<()> { let bus = system.handle()?; // Parameters (128bits of security) - let params_raw = BfvParamSet::from(BfvPreset::InsecureThresholdBfv512).build_arc(); + let params_raw = BfvParamSet::from(DEFAULT_BFV_PRESET).build_arc(); // Encoded Params let params = ArcBytes::from_bytes(&encode_bfv_params(¶ms_raw.clone())); diff --git a/crates/trbfv/src/helpers.rs b/crates/trbfv/src/helpers.rs index cefc67104a..1a78fdd09d 100644 --- a/crates/trbfv/src/helpers.rs +++ b/crates/trbfv/src/helpers.rs @@ -7,7 +7,7 @@ use crate::shares::ShamirShare; use anyhow::Result; use e3_crypto::{Cipher, SensitiveBytes}; -use e3_fhe_params::{BfvParamSet, BfvPreset}; +use e3_fhe_params::{BfvParamSet, DEFAULT_BFV_PRESET}; use fhe::mbfv::PublicKeyShare; use fhe::{ bfv::{self, BfvParameters, SecretKey}, @@ -44,8 +44,13 @@ pub fn deserialize_secret_key(bytes: &[u8], params: &Arc) -> Resu } /// TODO: Make this modular +/// Returns DKG BFV parameters (used for share encryption during key generation), +/// matching the security level of the default threshold preset. pub fn get_share_encryption_params() -> Arc { - let param_set: BfvParamSet = BfvPreset::InsecureDkg512.into(); + let dkg_preset = DEFAULT_BFV_PRESET + .dkg_counterpart() + .expect("default threshold preset has DKG counterpart"); + let param_set: BfvParamSet = dkg_preset.into(); param_set.build_arc() } diff --git a/crates/trbfv/tests/integration.rs b/crates/trbfv/tests/integration.rs index 048fb8a3ec..45d73261f8 100644 --- a/crates/trbfv/tests/integration.rs +++ b/crates/trbfv/tests/integration.rs @@ -12,6 +12,7 @@ use anyhow::Result; use e3_bfv_client::decode_bytes_to_vec_u64; use e3_crypto::Cipher; use e3_fhe::create_crp; +use e3_fhe_params::DEFAULT_BFV_PRESET; use e3_fhe_params::{encode_bfv_params, BfvParamSet, BfvPreset}; use e3_test_helpers::{create_seed_from_u64, create_shared_rng_from_u64, usecase_helpers}; use e3_trbfv::{ @@ -44,7 +45,7 @@ async fn test_trbfv_isolation() -> Result<()> { let _guard = tracing::subscriber::set_default(subscriber); let rng = create_shared_rng_from_u64(42); - let params_raw = BfvParamSet::from(BfvPreset::InsecureThresholdBfv512).build_arc(); + let params_raw = BfvParamSet::from(DEFAULT_BFV_PRESET).build_arc(); let params = ArcBytes::from_bytes(&encode_bfv_params(¶ms_raw.clone())); // E3Parameters diff --git a/crates/wasm/src/lib.rs b/crates/wasm/src/lib.rs index f5b41c85a3..a187a4734b 100644 --- a/crates/wasm/src/lib.rs +++ b/crates/wasm/src/lib.rs @@ -171,7 +171,7 @@ pub fn bfv_verifiable_encrypt_vector( /// Retrieves a BFV parameter set by name. /// /// # Parameters -/// * `name` - Parameter set identifier (e.g., "SECURE_THRESHOLD_BFV_8192") +/// * `name` - Parameter set identifier (e.g., "SECURE_THRESHOLD_8192") /// /// # Returns /// A JavaScript object with the following structure: @@ -202,7 +202,7 @@ pub fn get_bfv_params(name: &str) -> Result { /// /// # Returns /// Array of parameter set names that can be passed to `get_bfv_params()`. -/// Includes both production-ready sets (e.g., "SECURE_THRESHOLD_BFV_8192") and +/// Includes both production-ready sets (e.g., "SECURE_THRESHOLD_8192") and /// insecure sets for testing (prefixed with "INSECURE_"). pub fn get_bfv_params_list() -> Vec { BfvPreset::list() diff --git a/crates/zk-helpers/src/commitments.rs b/crates/zk-helpers/src/commitments.rs index 4e4e20f557..0dd9afc88d 100644 --- a/crates/zk-helpers/src/commitments.rs +++ b/crates/zk-helpers/src/commitments.rs @@ -21,110 +21,100 @@ use num_bigint::BigInt; // DOMAIN SEPARATORS // ============================================================================ -/// Domain separator for BFV public key commitments. -/// String: "PK_BFV" -const DS_PK_BFV: [u8; 64] = [ - 0x50, 0x4b, 0x5f, 0x42, 0x46, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// String: "PK" +const DS_PK: [u8; 64] = [ + 0x50, 0x4b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -/// Domain separator for TRBFV public key commitments. -/// String: "PK_TRBFV" -const DS_PK_TRBFV: [u8; 64] = [ - 0x50, 0x4b, 0x5f, 0x54, 0x52, 0x42, 0x46, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// String: "PK_GENERATION" +const DS_PK_GENERATION: [u8; 64] = [ + 0x50, 0x4b, 0x5f, 0x47, 0x45, 0x4e, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -/// Domain separator for secret commitments (sk_trbfv or e_sm). -/// String: "SECRET" -const DS_SECRET: [u8; 64] = [ - 0x53, 0x45, 0x43, 0x52, 0x45, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// String: "SHARE_COMPUTATION" +const DS_SHARE_COMPUTATION: [u8; 64] = [ + 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x43, 0x4f, 0x4d, 0x50, 0x55, 0x54, 0x41, 0x54, 0x49, 0x4f, + 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -/// Domain separator for shares party-modulus commitments. -/// String: "SPM" -const DS_SPM: [u8; 64] = [ - 0x53, 0x50, 0x4d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// String: "SHARE_ENCRYPTION" +const DS_SHARE_ENCRYPTION: [u8; 64] = [ + 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x45, 0x4e, 0x43, 0x52, 0x59, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -/// Domain separator for aggregated shares commitments. -/// String: "AGG_SHARES" -const DS_AGG_SHARES: [u8; 64] = [ - 0x41, 0x47, 0x47, 0x5f, 0x53, 0x48, 0x41, 0x52, 0x45, 0x53, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// String: "PK_AGGREGATION" +const DS_PK_AGGREGATION: [u8; 64] = [ + 0x50, 0x4b, 0x5f, 0x41, 0x47, 0x47, 0x52, 0x45, 0x47, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -/// Domain separator for public key aggregation commitments. -/// String: "PK_AGG" -const DS_PK_AGG: [u8; 64] = [ - 0x50, 0x4b, 0x5f, 0x41, 0x47, 0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// Domain separator for general-purpose ciphertext commitments. +/// String: "CIPHERTEXT" +const DS_CIPHERTEXT: [u8; 64] = [ + 0x43, 0x49, 0x50, 0x48, 0x45, 0x52, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -/// Domain separator for aggregation commitments. -/// String: "AGGREGATION" -const DS_AGGREGATION: [u8; 64] = [ - 0x41, 0x47, 0x47, 0x52, 0x45, 0x47, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// String: "AGGREGATED_SHARES" +const DS_AGGREGATED_SHARES: [u8; 64] = [ + 0x41, 0x47, 0x47, 0x52, 0x45, 0x47, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x53, 0x48, 0x41, 0x52, 0x45, + 0x53, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -/// Domain separator for general-purpose ciphertext commitments. -/// String: "CIPHERTEXT" -const DS_CIPHERTEXT: [u8; 64] = [ - 0x43, 0x49, 0x50, 0x48, 0x45, 0x52, 0x54, 0x45, 0x58, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// String: "RECURSIVE_AGGREGATION" +const DS_RECURSIVE_AGGREGATION: [u8; 64] = [ + 0x52, 0x45, 0x43, 0x55, 0x52, 0x53, 0x49, 0x56, 0x45, 0x5f, 0x41, 0x47, 0x47, 0x52, 0x45, 0x47, + 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -/// Domain separator for public key TRBFV challenge. -/// String: "CLG_PK_TRBFV" -const DS_CLG_PK_TRBFV: [u8; 64] = [ - 0x43, 0x4c, 0x47, 0x5f, 0x50, 0x4b, 0x5f, 0x54, 0x52, 0x42, 0x46, 0x56, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// String: "CLG_PK_GENERATION" +const DS_CLG_PK_GENERATION: [u8; 64] = [ + 0x43, 0x4c, 0x47, 0x5f, 0x50, 0x4b, 0x5f, 0x47, 0x45, 0x4e, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, + 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -/// Domain separator for encryption BFV challenge. -/// String: "CLG_ENC_BFV" -const DS_CLG_ENC_BFV: [u8; 64] = [ - 0x43, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x43, 0x5f, 0x42, 0x46, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// String: "CLG_SHARE_ENCRYPTION" +const DS_CLG_SHARE_ENCRYPTION: [u8; 64] = [ + 0x43, 0x4c, 0x47, 0x5f, 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x45, 0x4e, 0x43, 0x52, 0x59, 0x50, + 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; -/// Domain separator for Greco challenge. -/// String: "CLG_GRECO" -const DS_CLG_GRECO: [u8; 64] = [ - 0x43, 0x4c, 0x47, 0x5f, 0x47, 0x52, 0x45, 0x43, 0x4f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// String: "CLG_USER_DATA_ENCRYPTION" +const DS_CLG_USER_DATA_ENCRYPTION: [u8; 64] = [ + 0x43, 0x4c, 0x47, 0x5f, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x44, 0x41, 0x54, 0x41, 0x5f, 0x45, 0x4e, + 0x43, 0x52, 0x59, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; /// Domain separator for decryption share challenge. -/// String: "CLG_DEC_SHARE" -const DS_CLG_DEC_SHARE: [u8; 64] = [ - 0x43, 0x4c, 0x47, 0x5f, 0x44, 0x45, 0x43, 0x5f, 0x53, 0x48, 0x41, 0x52, 0x45, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +/// String: "CLG_SHARE_DECRYPTION" +const DS_CLG_SHARE_DECRYPTION: [u8; 64] = [ + 0x43, 0x4c, 0x47, 0x5f, 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x44, 0x45, 0x43, 0x52, 0x59, 0x50, + 0x54, 0x49, 0x4f, 0x4e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ]; @@ -152,18 +142,22 @@ pub fn compute_commitments( compute_safe(domain_separator, payload, io_pattern) } -/// Compute a commitment to the BFV public key polynomials by flattening them and hashing. +// ============================================================================ +// COMMITMENTS +// ============================================================================ + +/// Compute a commitment to the correct DKG public key polynomials by flattening them and hashing. /// -/// This matches the Noir `compute_pk_bfv_commitment` function exactly. +/// This matches the Noir `compute_pk_generation_commitment` function exactly. /// /// # Arguments -/// * `pk0` - First component of the BFV public key (one vector per modulus) -/// * `pk1` - Second component of the BFV public key (one vector per modulus) +/// * `pk0` - First component of the correct DKG public key (one vector per modulus) +/// * `pk1` - Second component of the correct DKG public key (one vector per modulus) /// * `bit_pk` - The bit width for public key coefficient bounds /// /// # Returns /// A `BigInt` representing the commitment hash value -pub fn compute_pk_bfv_commitment(pk0: &[Vec], pk1: &[Vec], bit_pk: u32) -> BigInt { +pub fn compute_dkg_pk_commitment(pk0: &[Vec], pk1: &[Vec], bit_pk: u32) -> BigInt { let mut payload = Vec::new(); payload = flatten(payload, pk0, bit_pk); payload = flatten(payload, pk1, bit_pk); @@ -171,23 +165,23 @@ pub fn compute_pk_bfv_commitment(pk0: &[Vec], pk1: &[Vec], bit_p let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, 1]; - let commitment_field = compute_commitments(payload, DS_PK_BFV, io_pattern)[0]; + let commitment_field = compute_commitments(payload, DS_PK, io_pattern)[0]; let commitment_bytes = commitment_field.into_bigint().to_bytes_le(); BigInt::from_bytes_le(num_bigint::Sign::Plus, &commitment_bytes) } -/// Compute a commitment to the TRBFV public key polynomials by flattening them and hashing. +/// Compute a commitment to the threshold public key polynomials by flattening them and hashing. /// -/// This matches the Noir `compute_pk_trbfv_commitment` function exactly. +/// This matches the Noir `compute_threshold_pk_commitment` function exactly. /// /// # Arguments -/// * `pk0` - First component of the TRBFV public key (one vector per modulus) -/// * `pk1` - Second component of the TRBFV public key (one vector per modulus) +/// * `pk0` - First component of the threshold public key (one vector per modulus) +/// * `pk1` - Second component of the threshold public key (one vector per modulus) /// * `bit_pk` - The bit width for public key coefficient bounds /// /// # Returns /// A `BigInt` representing the commitment hash value -pub fn compute_pk_trbfv_commitment( +pub fn compute_threshold_pk_commitment( pk0: &[Vec], pk1: &[Vec], bit_pk: u32, @@ -199,62 +193,58 @@ pub fn compute_pk_trbfv_commitment( let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, 1]; - let commitment_field = compute_commitments(payload, DS_PK_TRBFV, io_pattern)[0]; + let commitment_field = compute_commitments(payload, DS_PK_GENERATION, io_pattern)[0]; let commitment_bytes = commitment_field.into_bigint().to_bytes_le(); BigInt::from_bytes_le(num_bigint::Sign::Plus, &commitment_bytes) } -/// Compute a commitment to the secret key polynomial by flattening it and hashing. +/// Compute a commitment to the threshold secret key share by flattening it and hashing. /// -/// This matches the Noir `compute_secret_sk_commitment` function exactly. +/// This matches the Noir `compute_share_computation_sk_commitment` function exactly. /// /// # Arguments -/// * `sk` - Secret key polynomial coefficients -/// * `bit_sk` - The bit width for secret key coefficient bounds +/// * `sk` - Threshold secret key share coefficients +/// * `bit_sk` - The bit width for threshold secret key share coefficient bounds /// /// # Returns /// A `BigInt` representing the commitment hash value -pub fn compute_secret_sk_commitment(sk: &[BigInt], bit_sk: u32) -> BigInt { +pub fn compute_share_computation_sk_commitment(sk: &[BigInt], bit_sk: u32) -> BigInt { let mut payload = Vec::new(); payload = flatten(payload, &[sk.to_vec()], bit_sk); let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, 1]; - let commitment_field = compute_commitments(payload, DS_SECRET, io_pattern)[0]; + let commitment_field = compute_commitments(payload, DS_SHARE_COMPUTATION, io_pattern)[0]; let commitment_bytes = commitment_field.into_bigint().to_bytes_le(); BigInt::from_bytes_le(num_bigint::Sign::Plus, &commitment_bytes) } -/// Compute a commitment to the smudging noise (e_sm). +/// Compute a commitment to the threshold smudging noise share by flattening it and hashing. /// -/// This matches the Noir `compute_secret_e_sm_commitment` function exactly. +/// This matches the Noir `compute_share_computation_e_sm_commitment` function exactly. /// /// # Arguments -/// * `e_sm` - Smudging noise polynomial coefficients (one vector per modulus) -/// * `bit_e_sm` - The bit width for smudging noise coefficient bounds +/// * `e_sm` - Threshold smudging noise share coefficients (one vector per modulus) +/// * `bit_e_sm` - The bit width for threshold smudging noise share coefficient bounds /// /// # Returns /// A `BigInt` representing the commitment hash value -pub fn compute_secret_e_sm_commitment(e_sm: &[Vec], bit_e_sm: u32) -> BigInt { +pub fn compute_share_computation_e_sm_commitment(e_sm: &[Vec], bit_e_sm: u32) -> BigInt { let mut payload = Vec::new(); payload = flatten(payload, e_sm, bit_e_sm); let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, 1]; - let commitment_field = compute_commitments(payload, DS_SECRET, io_pattern)[0]; + let commitment_field = compute_commitments(payload, DS_SHARE_COMPUTATION, io_pattern)[0]; let commitment_bytes = commitment_field.into_bigint().to_bytes_le(); BigInt::from_bytes_le(num_bigint::Sign::Plus, &commitment_bytes) } -// ============================================================================ -// COMMITMENTS -// ============================================================================ - -/// Compute SPM commitment from message polynomial. +/// Compute share encryption commitment from message polynomial. /// -/// This matches the Noir `compute_spm_commitment_from_message` function exactly. +/// This matches the Noir `compute_share_encryption_commitment_from_message` function exactly. /// /// # Arguments /// * `message` - Message polynomial coefficients @@ -262,21 +252,24 @@ pub fn compute_secret_e_sm_commitment(e_sm: &[Vec], bit_e_sm: u32) -> Bi /// /// # Returns /// A `BigInt` representing the commitment hash value -pub fn compute_spm_commitment_from_message(message: &[BigInt], bit_msg: u32) -> BigInt { +pub fn compute_share_encryption_commitment_from_message( + message: &[BigInt], + bit_msg: u32, +) -> BigInt { let mut payload = Vec::new(); payload = flatten(payload, &[message.to_vec()], bit_msg); let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, 1]; - let commitment_field = compute_commitments(payload, DS_SPM, io_pattern)[0]; + let commitment_field = compute_commitments(payload, DS_SHARE_ENCRYPTION, io_pattern)[0]; let commitment_bytes = commitment_field.into_bigint().to_bytes_le(); BigInt::from_bytes_le(num_bigint::Sign::Plus, &commitment_bytes) } -/// Compute SPM commitment from shares. +/// Compute share encryption commitment from shares. /// -/// This matches the Noir `compute_spm_commitment_from_shares` function exactly. +/// This matches the Noir `compute_share_encryption_commitment_from_shares` function exactly. /// Used in C2 (verify shares circuit). /// /// # Arguments @@ -286,7 +279,7 @@ pub fn compute_spm_commitment_from_message(message: &[BigInt], bit_msg: u32) -> /// /// # Returns /// A `BigInt` representing the commitment hash value -pub fn compute_spm_commitment_from_shares( +pub fn compute_share_encryption_commitment_from_shares( y: &[Vec>], party_idx: usize, mod_idx: usize, @@ -309,23 +302,27 @@ pub fn compute_spm_commitment_from_shares( let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, 1]; - let commitment_field = compute_commitments(payload, DS_SPM, io_pattern)[0]; + let commitment_field = compute_commitments(payload, DS_SHARE_ENCRYPTION, io_pattern)[0]; let commitment_bytes = commitment_field.into_bigint().to_bytes_le(); BigInt::from_bytes_le(num_bigint::Sign::Plus, &commitment_bytes) } -/// Compute public key aggregation commitment. +/// Compute threshold public key aggregation commitment. /// -/// This matches the Noir `compute_pk_agg_commitment` function exactly. +/// This matches the Noir `compute_pk_aggregation_commitment` function exactly. /// /// # Arguments -/// * `pk0` - First component of the public key (one vector per modulus) -/// * `pk1` - Second component of the public key (one vector per modulus) -/// * `bit_pk` - The bit width for public key coefficient bounds +/// * `pk0` - First component of the threshold public key (one vector per modulus) +/// * `pk1` - Second component of the threshold public key (one vector per modulus) +/// * `bit_pk` - The bit width for threshold public key coefficient bounds /// /// # Returns /// A `BigInt` representing the commitment hash value -pub fn compute_pk_agg_commitment(pk0: &[Vec], pk1: &[Vec], bit_pk: u32) -> BigInt { +pub fn compute_pk_aggregation_commitment( + pk0: &[Vec], + pk1: &[Vec], + bit_pk: u32, +) -> BigInt { let mut payload = Vec::new(); payload = flatten(payload, pk0, bit_pk); payload = flatten(payload, pk1, bit_pk); @@ -333,25 +330,25 @@ pub fn compute_pk_agg_commitment(pk0: &[Vec], pk1: &[Vec], bit_p let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, 1]; - let commitment_field = compute_commitments(payload, DS_PK_AGG, io_pattern)[0]; + let commitment_field = compute_commitments(payload, DS_PK_AGGREGATION, io_pattern)[0]; let commitment_bytes = commitment_field.into_bigint().to_bytes_le(); BigInt::from_bytes_le(num_bigint::Sign::Plus, &commitment_bytes) } /// Compute aggregation commitment. /// -/// This matches the Noir `compute_aggregation_commitment` function exactly. +/// This matches the Noir `compute_recursive_aggregation_commitment` function exactly. /// /// # Arguments /// * `payload` - Prepared payload as a vector of field elements /// /// # Returns /// A `BigInt` representing the commitment hash value -pub fn compute_aggregation_commitment(payload: Vec) -> BigInt { +pub fn compute_recursive_aggregation_commitment(payload: Vec) -> BigInt { let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, 1]; - let commitment_field = compute_commitments(payload, DS_AGGREGATION, io_pattern)[0]; + let commitment_field = compute_commitments(payload, DS_RECURSIVE_AGGREGATION, io_pattern)[0]; let commitment_bytes = commitment_field.into_bigint().to_bytes_le(); BigInt::from_bytes_le(num_bigint::Sign::Plus, &commitment_bytes) } @@ -399,7 +396,7 @@ pub fn compute_aggregated_shares_commitment(agg_shares: &[Vec], bit_msg: let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, 1]; - let commitment_field = compute_commitments(payload, DS_AGG_SHARES, io_pattern)[0]; + let commitment_field = compute_commitments(payload, DS_AGGREGATED_SHARES, io_pattern)[0]; let commitment_bytes = commitment_field.into_bigint().to_bytes_le(); BigInt::from_bytes_le(num_bigint::Sign::Plus, &commitment_bytes) } @@ -408,9 +405,9 @@ pub fn compute_aggregated_shares_commitment(agg_shares: &[Vec], bit_msg: // COMMITMENTS FOR CHALLENGES // ============================================================================ -/// Compute public key TRBFV challenge. +/// Compute public key generation challenge. /// -/// This matches the Noir `compute_pk_trbfv_challenge` function exactly. +/// This matches the Noir `compute_threshold_pk_challenge` function exactly. /// /// # Arguments /// * `payload` - Prepared payload as a vector of field elements @@ -418,11 +415,11 @@ pub fn compute_aggregated_shares_commitment(agg_shares: &[Vec], bit_msg: /// /// # Returns /// A vector of `BigInt` challenges (2*L elements) -pub fn compute_pk_trbfv_challenge(payload: Vec, l: usize) -> Vec { +pub fn compute_threshold_pk_challenge(payload: Vec, l: usize) -> Vec { let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, (2 * l as u32)]; - compute_commitments(payload, DS_CLG_PK_TRBFV, io_pattern) + compute_commitments(payload, DS_CLG_PK_GENERATION, io_pattern) .into_iter() .map(|challenge_field| { let challenge_bytes = challenge_field.into_bigint().to_bytes_le(); @@ -431,9 +428,9 @@ pub fn compute_pk_trbfv_challenge(payload: Vec, l: usize) -> Vec .collect() } -/// Compute BFV encryption challenge. +/// Compute share encryption challenge. /// -/// This matches the Noir `compute_bfv_enc_challenge` function exactly. +/// This matches the Noir `compute_share_encryption_challenge` function exactly. /// /// # Arguments /// * `payload` - Prepared payload as a vector of field elements @@ -441,11 +438,11 @@ pub fn compute_pk_trbfv_challenge(payload: Vec, l: usize) -> Vec /// /// # Returns /// A vector of `BigInt` challenges (2*L elements) -pub fn compute_bfv_enc_challenge(payload: Vec, l: usize) -> Vec { +pub fn compute_share_encryption_challenge(payload: Vec, l: usize) -> Vec { let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, (2 * l as u32)]; - compute_commitments(payload, DS_CLG_ENC_BFV, io_pattern) + compute_commitments(payload, DS_CLG_SHARE_ENCRYPTION, io_pattern) .into_iter() .map(|challenge_field| { let challenge_bytes = challenge_field.into_bigint().to_bytes_le(); @@ -454,9 +451,9 @@ pub fn compute_bfv_enc_challenge(payload: Vec, l: usize) -> Vec { .collect() } -/// Compute Greco challenge commitment. +/// Compute User Data Encryption challenge commitment. /// -/// This matches the Noir `compute_greco_challenge_commitment` function exactly. +/// This matches the Noir `compute_user_data_encryption_challenge_commitment` function exactly. /// Verifies pk_commitment using pk0is and pk1is, then generates challenges from gammas_payload. /// /// # Arguments @@ -472,7 +469,7 @@ pub fn compute_bfv_enc_challenge(payload: Vec, l: usize) -> Vec { /// /// # Panics /// Panics if the computed public key commitment doesn't match `pk_commitment` -pub fn compute_greco_challenge_commitment( +pub fn compute_user_data_encryption_challenge_commitment( pk0is: &[Vec], pk1is: &[Vec], gammas_payload: Vec, @@ -481,10 +478,10 @@ pub fn compute_greco_challenge_commitment( l: usize, ) -> Vec { // Verify pk_commitment matches the commitment from pk0is and pk1is - let computed_pk_commitment = compute_pk_agg_commitment(pk0is, pk1is, bit_pk); + let computed_pk_commitment = compute_pk_aggregation_commitment(pk0is, pk1is, bit_pk); if computed_pk_commitment != *pk_commitment { panic!( - "PK commitment mismatch in Greco circuit: expected {}, got {}", + "PK commitment mismatch in User Data Encryption circuit: expected {}, got {}", pk_commitment, computed_pk_commitment ); } @@ -492,7 +489,7 @@ pub fn compute_greco_challenge_commitment( let input_size = gammas_payload.len() as u32; let io_pattern = [0x80000000 | input_size, (2 * l as u32)]; - compute_commitments(gammas_payload, DS_CLG_GRECO, io_pattern) + compute_commitments(gammas_payload, DS_CLG_USER_DATA_ENCRYPTION, io_pattern) .into_iter() .map(|challenge_field| { let challenge_bytes = challenge_field.into_bigint().to_bytes_le(); @@ -501,20 +498,20 @@ pub fn compute_greco_challenge_commitment( .collect() } -/// Compute decryption share challenge. +/// Compute threshold share decryption challenge. /// -/// This matches the Noir `compute_dec_share_challenge` function exactly. +/// This matches the Noir `compute_threshold_share_decryption_challenge` function exactly. /// /// # Arguments /// * `payload` - Prepared payload as a vector of field elements /// /// # Returns /// A `BigInt` representing the commitment hash value -pub fn compute_dec_share_challenge(payload: Vec) -> BigInt { +pub fn compute_threshold_share_decryption_challenge(payload: Vec) -> BigInt { let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, 1]; - let commitment_field = compute_commitments(payload, DS_CLG_DEC_SHARE, io_pattern)[0]; + let commitment_field = compute_commitments(payload, DS_CLG_SHARE_DECRYPTION, io_pattern)[0]; let commitment_bytes = commitment_field.into_bigint().to_bytes_le(); BigInt::from_bytes_le(num_bigint::Sign::Plus, &commitment_bytes) } @@ -548,7 +545,7 @@ mod tests { } #[test] - fn compute_spm_commitment_from_shares_matches_manual_payload() { + fn compute_share_encryption_commitment_from_shares_matches_manual_payload() { let y = vec![ vec![ vec![BigInt::from(0), BigInt::from(11), BigInt::from(12)], @@ -576,21 +573,56 @@ mod tests { let input_size = payload.len() as u32; let io_pattern = [0x80000000 | input_size, 1]; - let expected = field_to_bigint(compute_commitments(payload, DS_SPM, io_pattern)[0]); + let expected = + field_to_bigint(compute_commitments(payload, DS_SHARE_ENCRYPTION, io_pattern)[0]); - let actual = compute_spm_commitment_from_shares(&y, party_idx, mod_idx); + let actual = compute_share_encryption_commitment_from_shares(&y, party_idx, mod_idx); assert_eq!(actual, expected); } #[test] - fn challenge_lengths_match_expected_output() { + fn compute_threshold_pk_challenge_returns_2l_elements() { + let payload = vec![Field::from(1u64), Field::from(2u64)]; + let l = 3; + + let challenges = compute_threshold_pk_challenge(payload, l); + assert_eq!(challenges.len(), 2 * l); + } + + #[test] + fn compute_share_encryption_challenge_returns_2l_elements() { let payload = vec![Field::from(1u64), Field::from(2u64)]; let l = 3; - let pk_trbfv = compute_pk_trbfv_challenge(payload.clone(), l); - let bfv_enc = compute_bfv_enc_challenge(payload, l); + let challenges = compute_share_encryption_challenge(payload, l); + assert_eq!(challenges.len(), 2 * l); + } - assert_eq!(pk_trbfv.len(), 2 * l); - assert_eq!(bfv_enc.len(), 2 * l); + #[test] + fn compute_recursive_aggregation_commitment_matches_manual_payload() { + let payload = vec![Field::from(1u64), Field::from(2u64)]; + + let input_size = payload.len() as u32; + let io_pattern = [0x80000000 | input_size, 1]; + let expected = field_to_bigint( + compute_commitments(payload.clone(), DS_RECURSIVE_AGGREGATION, io_pattern)[0], + ); + + let actual = compute_recursive_aggregation_commitment(payload); + assert_eq!(actual, expected); + } + + #[test] + fn compute_threshold_share_decryption_challenge_returns_single_bigint() { + let payload = vec![Field::from(1u64), Field::from(2u64)]; + + let input_size = payload.len() as u32; + let io_pattern = [0x80000000 | input_size, 1]; + let expected = field_to_bigint( + compute_commitments(payload.clone(), DS_CLG_SHARE_DECRYPTION, io_pattern)[0], + ); + + let actual = compute_threshold_share_decryption_challenge(payload); + assert_eq!(actual, expected); } } diff --git a/examples/CRISP/Cargo.lock b/examples/CRISP/Cargo.lock index 8aaa5081a2..f5f50ab79a 100644 --- a/examples/CRISP/Cargo.lock +++ b/examples/CRISP/Cargo.lock @@ -104,8 +104,8 @@ version = "0.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e01ed3140b2f8d422c68afa1ed2e85d996ea619c988ac834d255db32138655cb" dependencies = [ - "quote 1.0.42", - "syn 2.0.111", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -220,9 +220,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f591380e2e68490b5dfaf1dd1aa0ebe78d84ba7067078512b4ea6e4492d622b8" dependencies = [ "actix-router", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -231,9 +231,9 @@ version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b6ac1e58cded18cb28ddc17143c4dea5345b3ad575e14f32f66e4054a56eb271" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -322,9 +322,9 @@ dependencies = [ [[package]] name = "alloy-chains" -version = "0.2.23" +version = "0.2.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35d744058a9daa51a8cf22a3009607498fcf82d3cf4c5444dd8056cdf651f471" +checksum = "90f374d3c6d729268bbe2d0e0ff992bb97898b2df756691a62ee1d5f0506bc39" dependencies = [ "alloy-primitives", "num_enum", @@ -354,7 +354,7 @@ dependencies = [ "serde", "serde_json", "serde_with", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -391,7 +391,7 @@ dependencies = [ "futures 0.3.31", "futures-util", "serde_json", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -433,7 +433,7 @@ dependencies = [ "alloy-rlp", "crc", "serde", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -457,7 +457,7 @@ dependencies = [ "alloy-rlp", "k256", "serde", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -479,7 +479,7 @@ dependencies = [ "serde", "serde_with", "sha2", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -532,7 +532,7 @@ dependencies = [ "http 1.4.0", "serde", "serde_json", - "thiserror 2.0.17", + "thiserror 2.0.18", "tracing", ] @@ -559,7 +559,7 @@ dependencies = [ "futures-utils-wasm", "serde", "serde_json", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -591,7 +591,7 @@ dependencies = [ "rand 0.8.5", "serde_json", "tempfile", - "thiserror 2.0.17", + "thiserror 2.0.18", "tracing", "url", ] @@ -609,7 +609,7 @@ dependencies = [ "derive_more", "foldhash", "hashbrown 0.15.5", - "indexmap 2.12.1", + "indexmap 2.13.0", "itoa", "k256", "keccak-asm", @@ -663,7 +663,7 @@ dependencies = [ "reqwest", "serde", "serde_json", - "thiserror 2.0.17", + "thiserror 2.0.18", "tokio", "tracing", "url", @@ -694,9 +694,9 @@ dependencies = [ [[package]] name = "alloy-rlp" -version = "0.3.12" +version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f70d83b765fdc080dbcd4f4db70d8d23fe4761f2f02ebfa9146b833900634b4" +checksum = "e93e50f64a77ad9c5470bf2ad0ca02f228da70c792a8f06634801e202579f35e" dependencies = [ "alloy-rlp-derive", "arrayvec", @@ -705,13 +705,13 @@ dependencies = [ [[package]] name = "alloy-rlp-derive" -version = "0.3.12" +version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "64b728d511962dda67c1bc7ea7c03736ec275ed2cf4c35d9585298ac9ccf3b73" +checksum = "ce8849c74c9ca0f5a03da1c865e3eb6f768df816e67dd3721a398a8a7e398011" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -827,7 +827,7 @@ dependencies = [ "serde", "serde_json", "serde_with", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -841,7 +841,7 @@ dependencies = [ "alloy-serde", "serde", "serde_json", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -879,7 +879,7 @@ dependencies = [ "either", "elliptic-curve", "k256", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -895,7 +895,7 @@ dependencies = [ "async-trait", "k256", "rand 0.8.5", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -907,9 +907,9 @@ dependencies = [ "alloy-sol-macro-expander", "alloy-sol-macro-input", "proc-macro-error2", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -922,11 +922,11 @@ dependencies = [ "alloy-sol-macro-input", "const-hex", "heck", - "indexmap 2.12.1", + "indexmap 2.13.0", "proc-macro-error2", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", "syn-solidity", "tiny-keccak", ] @@ -942,18 +942,18 @@ dependencies = [ "dunce", "heck", "macro-string", - "proc-macro2 1.0.103", - "quote 1.0.42", + "proc-macro2 1.0.106", + "quote 1.0.44", "serde_json", - "syn 2.0.111", + "syn 2.0.114", "syn-solidity", ] [[package]] name = "alloy-sol-type-parser" -version = "1.5.2" +version = "1.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af67a0b0dcebe14244fc92002cd8d96ecbf65db4639d479f5fcd5805755a4c27" +checksum = "94b91b13181d3bcd23680fd29d7bc861d1f33fbe90fdd0af67162434aeba902d" dependencies = [ "serde", "winnow", @@ -987,7 +987,7 @@ dependencies = [ "parking_lot 0.12.5", "serde", "serde_json", - "thiserror 2.0.17", + "thiserror 2.0.18", "tokio", "tower", "tracing", @@ -1050,9 +1050,9 @@ dependencies = [ [[package]] name = "alloy-trie" -version = "0.9.2" +version = "0.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b77b56af09ead281337d06b1d036c88e2dc8a2e45da512a532476dbee94912b" +checksum = "428aa0f0e0658ff091f8f667c406e034b431cb10abd39de4f507520968acc499" dependencies = [ "alloy-primitives", "alloy-rlp", @@ -1071,9 +1071,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ab54221eccefa254ce9f65b079c097b1796e48c21c7ce358230f8988d75392fb" dependencies = [ "darling", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -1127,7 +1127,7 @@ version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc" dependencies = [ - "windows-sys 0.60.2", + "windows-sys 0.61.2", ] [[package]] @@ -1138,7 +1138,7 @@ checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d" dependencies = [ "anstyle", "once_cell_polyfill", - "windows-sys 0.60.2", + "windows-sys 0.61.2", ] [[package]] @@ -1271,7 +1271,7 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "db02d390bf6643fb404d3d22d31aee1c4bc4459600aef9113833d17e786c6e44" dependencies = [ - "quote 1.0.42", + "quote 1.0.44", "syn 1.0.109", ] @@ -1281,7 +1281,7 @@ version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3ed4aa4fe255d0bc6d79373f7e31d2ea147bcf486cba1be5ba7ea85abdb92348" dependencies = [ - "quote 1.0.42", + "quote 1.0.44", "syn 1.0.109", ] @@ -1291,8 +1291,8 @@ version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "62945a2f7e6de02a31fe400aa489f0e0f5b2502e69f95f853adb82a96c7a6b60" dependencies = [ - "quote 1.0.42", - "syn 2.0.111", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -1303,7 +1303,7 @@ checksum = "db2fd794a08ccb318058009eefdf15bcaaaaf6f8161eb3345f907222bac38b20" dependencies = [ "num-bigint", "num-traits", - "quote 1.0.42", + "quote 1.0.44", "syn 1.0.109", ] @@ -1315,8 +1315,8 @@ checksum = "7abe79b0e4288889c4574159ab790824d0033b9fdcb2a112a3182fac2e514565" dependencies = [ "num-bigint", "num-traits", - "proc-macro2 1.0.103", - "quote 1.0.42", + "proc-macro2 1.0.106", + "quote 1.0.44", "syn 1.0.109", ] @@ -1328,9 +1328,9 @@ checksum = "09be120733ee33f7693ceaa202ca41accd5653b779563608f1234f78ae07c4b3" dependencies = [ "num-bigint", "num-traits", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -1402,8 +1402,8 @@ version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ae3281bc6d0fd7e549af32b52511e1302185bd688fd3359fa36423346ff682ea" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", + "proc-macro2 1.0.106", + "quote 1.0.44", "syn 1.0.109", ] @@ -1413,9 +1413,9 @@ version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "213888f660fddcca0d257e88e54ac05bca01885f258ccdf695bafd77031bb69d" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -1480,9 +1480,9 @@ version = "0.3.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -1491,9 +1491,9 @@ version = "0.1.88" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e539d3fca749fcee5236ab05e93a52867dd549cc157c8cb7f99595f3cedffdb5" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -1519,9 +1519,9 @@ version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ffdcb70bdbc4d478427380519163274ac86e52916e10f0a8889adf0f96d3fee7" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -1565,9 +1565,9 @@ checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" [[package]] name = "base64ct" -version = "1.8.1" +version = "1.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0e050f626429857a27ddccb31e0aca21356bfa709c04041aefddac081a8f068a" +checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06" [[package]] name = "bigdecimal" @@ -1657,15 +1657,16 @@ dependencies = [ [[package]] name = "blake3" -version = "1.8.2" +version = "1.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3888aaa89e4b2a40fca9848e400f6a658a5a3978de7be858e209cafa8be9a4a0" +checksum = "2468ef7d57b3fb7e16b576e8377cdbde2320c60e1491e961d11da40fc4f02a2d" dependencies = [ "arrayref", "arrayvec", "cc", "cfg-if 1.0.4", "constant_time_eq", + "cpufeatures", ] [[package]] @@ -1763,9 +1764,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.50" +version = "1.2.55" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f50d563227a1c37cc0a263f64eca3334388c01c5e4c4861a9def205c614383c" +checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29" dependencies = [ "find-msvc-tools", "jobserver", @@ -1835,16 +1836,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ef4f52386a59ca4c860f7393bcf8abd8dfd91ecccc0f774635ff68e92eeef491" dependencies = [ "heck", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] name = "clap_lex" -version = "0.7.6" +version = "0.7.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1d728cc89cf3aee9ff92b05e62b19ee65a02b5702cff7d5a377e32c6ae29d8d" +checksum = "c3e64b0cc0439b12df2fa678eae89a1c56a529fd067a9115f7827f1fffd22b32" [[package]] name = "colorchoice" @@ -1928,7 +1929,7 @@ version = "0.1.16" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f9d839f2a20b0aee515dc581a6172f2321f96cab76c1a38a4c584a194955390e" dependencies = [ - "getrandom 0.2.16", + "getrandom 0.2.17", "once_cell", "tiny-keccak", ] @@ -1948,16 +1949,16 @@ version = "0.2.34" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1d57c2eccfb16dbac1f4e61e206105db5820c9d26c3c472bc17c774259ef7744" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", + "proc-macro2 1.0.106", + "quote 1.0.44", "unicode-xid 0.2.6", ] [[package]] name = "constant_time_eq" -version = "0.3.1" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6" +checksum = "3d52eff69cd5e647efe296129160853a42795992097e8af39800e1060caeea9b" [[package]] name = "convert_case" @@ -2055,7 +2056,6 @@ dependencies = [ "chrono", "clap", "config", - "crisp-constants", "crisp-utils", "derivative", "dialoguer", @@ -2083,14 +2083,6 @@ dependencies = [ "tokio", ] -[[package]] -name = "crisp-constants" -version = "0.1.0" -dependencies = [ - "e3-fhe-params", - "e3-sdk", -] - [[package]] name = "crisp-utils" version = "0.1.0" @@ -2107,7 +2099,7 @@ name = "crisp-zk-inputs" version = "0.1.0" dependencies = [ "e3-fhe-params", - "getrandom 0.2.16", + "getrandom 0.2.17", "js-sys", "num-bigint", "serde_json", @@ -2197,11 +2189,11 @@ checksum = "1247195ecd7e3c85f83c8d2a366e4210d588e802133e1e355180a9870b517ea4" dependencies = [ "fnv", "ident_case", - "proc-macro2 1.0.103", - "quote 1.0.42", + "proc-macro2 1.0.106", + "quote 1.0.44", "serde", "strsim", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -2211,8 +2203,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d38308df82d1080de0afee5d069fa14b0326a88c14f15c5ccda35b4a6c414c81" dependencies = [ "darling_core", - "quote 1.0.42", - "syn 2.0.111", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -2231,9 +2223,9 @@ dependencies = [ [[package]] name = "data-encoding" -version = "2.9.0" +version = "2.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476" +checksum = "d7a1e2f27636f116493b8b860f5546edb47c8d8f8ea73e1d2a20be88e28d1fea" [[package]] name = "der" @@ -2261,8 +2253,8 @@ version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", + "proc-macro2 1.0.106", + "quote 1.0.44", "syn 1.0.109", ] @@ -2282,10 +2274,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "799a97264921d8623a957f6c3b9011f3b5492f557bbb7a5a19b7fa6d06ba8dcb" dependencies = [ "convert_case 0.10.0", - "proc-macro2 1.0.103", - "quote 1.0.42", + "proc-macro2 1.0.106", + "quote 1.0.44", "rustc_version 0.4.1", - "syn 2.0.111", + "syn 2.0.114", "unicode-xid 0.2.6", ] @@ -2330,9 +2322,9 @@ version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -2473,6 +2465,17 @@ dependencies = [ "thiserror 1.0.69", ] +[[package]] +name = "e3-polynomial" +version = "0.1.8" +source = "git+https://github.com/gnosisguild/enclave?branch=main#ebf6f386dcefd6ab9c5060d4b8932ed1fa1132b9" +dependencies = [ + "num-bigint", + "num-traits", + "serde", + "thiserror 1.0.69", +] + [[package]] name = "e3-program-server" version = "0.1.8" @@ -2499,6 +2502,18 @@ dependencies = [ "taceo-poseidon2", ] +[[package]] +name = "e3-safe" +version = "0.1.8" +source = "git+https://github.com/gnosisguild/enclave#ebf6f386dcefd6ab9c5060d4b8932ed1fa1132b9" +dependencies = [ + "ark-bn254 0.5.0", + "ark-ff 0.5.0", + "hex", + "sha3", + "taceo-poseidon2", +] + [[package]] name = "e3-sdk" version = "0.1.8" @@ -2551,8 +2566,8 @@ version = "0.1.8" dependencies = [ "ark-bn254 0.5.0", "ark-ff 0.5.0", - "e3-polynomial", - "e3-safe", + "e3-polynomial 0.1.8", + "e3-safe 0.1.8", "fhe", "num-bigint", "num-traits", @@ -2581,9 +2596,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1d7bc049e1bd8cdeb31b68bbd586a9464ecf9f3944af3958a7a9d0f8b9799417" dependencies = [ "enum-ordinalize", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -2645,9 +2660,9 @@ version = "4.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8ca9601fb2d62598ee17836250842873a413586e5d7ed88b356e38ddbb0ec631" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -2686,7 +2701,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.52.0", + "windows-sys 0.61.2", ] [[package]] @@ -2825,9 +2840,9 @@ dependencies = [ [[package]] name = "find-msvc-tools" -version = "0.1.5" +version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a3076410a55c90011c298b04d0cfa770b00fa04e1e3c97d3f6c9de105a03844" +checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" [[package]] name = "fixed-hash" @@ -2849,9 +2864,9 @@ checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" [[package]] name = "flate2" -version = "1.1.5" +version = "1.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bfe33edd8e85a12a67454e37f8c75e730830d83e313556ab9ebf9ee7fbeb3bfb" +checksum = "b375d6465b98090a5f25b1c7703f3859783755aa9a80433b36e0379a3ec2f369" dependencies = [ "crc32fast", "miniz_oxide", @@ -2969,9 +2984,9 @@ version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -3041,9 +3056,9 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.16" +version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "335ff9f135e4384c8150d6f27c6daed433577f86b4750418338c01a1a2528592" +checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0" dependencies = [ "cfg-if 1.0.4", "js-sys", @@ -3101,7 +3116,7 @@ dependencies = [ "futures-sink", "futures-util", "http 0.2.12", - "indexmap 2.12.1", + "indexmap 2.13.0", "slab", "tokio", "tokio-util", @@ -3110,9 +3125,9 @@ dependencies = [ [[package]] name = "h2" -version = "0.4.12" +version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3c0b69cfcb4e1b9f1bf2f53f95f766e4661169728ec61cd3fe5a0166f2d1386" +checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54" dependencies = [ "atomic-waker", "bytes", @@ -3120,7 +3135,7 @@ dependencies = [ "futures-core", "futures-sink", "http 1.4.0", - "indexmap 2.12.1", + "indexmap 2.13.0", "slab", "tokio", "tokio-util", @@ -3268,7 +3283,7 @@ dependencies = [ "bytes", "futures-channel", "futures-core", - "h2 0.4.12", + "h2 0.4.13", "http 1.4.0", "http-body", "httparse", @@ -3294,7 +3309,7 @@ dependencies = [ "tokio", "tokio-rustls", "tower-service", - "webpki-roots 1.0.4", + "webpki-roots 1.0.5", ] [[package]] @@ -3315,14 +3330,13 @@ dependencies = [ [[package]] name = "hyper-util" -version = "0.1.19" +version = "0.1.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "727805d60e7938b76b826a6ef209eb70eaa1812794f9424d4a4e2d740662df5f" +checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0" dependencies = [ "base64 0.22.1", "bytes", "futures-channel", - "futures-core", "futures-util", "http 1.4.0", "http-body", @@ -3331,7 +3345,7 @@ dependencies = [ "libc", "percent-encoding", "pin-project-lite", - "socket2 0.6.1", + "socket2 0.6.2", "system-configuration", "tokio", "tower-service", @@ -3341,9 +3355,9 @@ dependencies = [ [[package]] name = "iana-time-zone" -version = "0.1.64" +version = "0.1.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33e57f83510bb73707521ebaffa789ec8caf86f9657cad665b092b581d40e9fb" +checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470" dependencies = [ "android_system_properties", "core-foundation-sys", @@ -3492,9 +3506,9 @@ version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a0eb5a3343abf848c0984fe4604b2b105da9539376e24fc0a3b0007411ae4fd9" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -3516,9 +3530,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.12.1" +version = "2.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ad4bb2b565bca0645f4d68c5c9af97fba094e9791da685bf83cb5f3ce74acf2" +checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017" dependencies = [ "equivalent", "hashbrown 0.16.1", @@ -3569,9 +3583,9 @@ checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130" [[package]] name = "iri-string" -version = "0.7.9" +version = "0.7.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4f867b9d1d896b67beb18518eda36fdb77a32ea590de864f1325b294a6d14397" +checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a" dependencies = [ "memchr", "serde", @@ -3621,15 +3635,15 @@ dependencies = [ [[package]] name = "itoa" -version = "1.0.16" +version = "1.0.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ee5b5339afb4c41626dde77b7a611bd4f2c202b897852b4bcf5d03eddc61010" +checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2" [[package]] name = "jiff" -version = "0.2.16" +version = "0.2.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49cce2b81f2098e7e3efc35bc2e0a6b7abec9d34128283d7a26fa8f32a6dbb35" +checksum = "e67e8da4c49d6d9909fe03361f9b620f58898859f5c7aded68351e85e71ecf50" dependencies = [ "jiff-static", "log", @@ -3640,13 +3654,13 @@ dependencies = [ [[package]] name = "jiff-static" -version = "0.2.16" +version = "0.2.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "980af8b43c3ad5d8d349ace167ec8170839f753a42d233ba19e08afe1850fa69" +checksum = "e0c84ee7f197eca9a86c6fd6cb771e55eb991632f15f2bc3ca6ec838929e6e78" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -3661,9 +3675,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.83" +version = "0.3.85" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "464a3709c7f55f1f721e5389aa6ea4e3bc6aba669353300af094b29ffbdde1d8" +checksum = "8c942ebf8e95485ca0d52d97da7c5a2c387d0e7f0ba4c35e93bfcaee045955b3" dependencies = [ "once_cell", "wasm-bindgen", @@ -3705,9 +3719,9 @@ dependencies = [ [[package]] name = "keccak-asm" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "505d1856a39b200489082f90d897c3f07c455563880bc5952e38eabf731c83b6" +checksum = "b646a74e746cd25045aa0fd42f4f7f78aa6d119380182c7e63a5593c4ab8df6f" dependencies = [ "digest 0.10.7", "sha3-asm", @@ -3739,15 +3753,15 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.178" +version = "0.2.180" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "37c93d8daa9d8a012fd8ab92f088405fb202ea0b6ab73ee2482ae66af4f42091" +checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc" [[package]] name = "libm" -version = "0.2.15" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9fbbcab51052fe104eb5e5d351cf728d30a5be1fe14d9be8a3b097481fb97de" +checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981" [[package]] name = "light-poseidon" @@ -3843,9 +3857,9 @@ version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1b27834086c65ec3f9387b096d66e99f221cf081c2b738042aa252bcd41204e3" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -4068,16 +4082,16 @@ version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ff32365de1b6743cb203b710788263c44a03de03802daf96092f2da4fe6ba4d7" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] name = "nybbles" -version = "0.4.6" +version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c4b5ecbd0beec843101bffe848217f770e8b8da81d8355b7d6e226f2199b3dc" +checksum = "7b5676b5c379cf5b03da1df2b3061c4a4e2aa691086a56ac923e08c143f53f59" dependencies = [ "alloy-rlp", "cfg-if 1.0.4", @@ -4129,9 +4143,9 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -4185,9 +4199,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "34b4653168b563151153c9e4c08ebed57fb8262bebfa79711552fa983c623e7a" dependencies = [ "proc-macro-crate", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -4258,9 +4272,9 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220" [[package]] name = "pest" -version = "2.8.4" +version = "2.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cbcfd20a6d4eeba40179f05735784ad32bdaef05ce8e8af05f180d45bb3e7e22" +checksum = "2c9eb05c21a464ea704b53158d358a31e6425db2f63a1a7312268b05fe2b75f7" dependencies = [ "memchr", "ucd-trie", @@ -4268,9 +4282,9 @@ dependencies = [ [[package]] name = "pest_derive" -version = "2.8.4" +version = "2.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51f72981ade67b1ca6adc26ec221be9f463f2b5839c7508998daa17c23d94d7f" +checksum = "68f9dbced329c441fa79d80472764b1a2c7e57123553b8519b36663a2fb234ed" dependencies = [ "pest", "pest_generator", @@ -4278,22 +4292,22 @@ dependencies = [ [[package]] name = "pest_generator" -version = "2.8.4" +version = "2.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dee9efd8cdb50d719a80088b76f81aec7c41ed6d522ee750178f83883d271625" +checksum = "3bb96d5051a78f44f43c8f712d8e810adb0ebf923fc9ed2655a7f66f63ba8ee5" dependencies = [ "pest", "pest_meta", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] name = "pest_meta" -version = "2.8.4" +version = "2.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf1d70880e76bdc13ba52eafa6239ce793d85c8e43896507e43dd8984ff05b82" +checksum = "602113b5b5e8621770cfd490cfd90b9f84ab29bd2b0e49ad83eb6d186cef2365" dependencies = [ "pest", "sha2", @@ -4306,7 +4320,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db" dependencies = [ "fixedbitset", - "indexmap 2.12.1", + "indexmap 2.13.0", ] [[package]] @@ -4334,9 +4348,9 @@ version = "1.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e918e4ff8c4549eb882f14b3a4bc8c8bc93de829416eacf579f1207a8fbf861" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -4367,28 +4381,17 @@ version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c" -[[package]] -name = "polynomial" -version = "0.1.7" -source = "git+https://github.com/gnosisguild/enclave?branch=main#54db685297b55d517aa86a6005e77e9a0354af02" -dependencies = [ - "num-bigint", - "num-traits", - "serde", - "thiserror 1.0.69", -] - [[package]] name = "portable-atomic" -version = "1.12.0" +version = "1.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f59e70c4aef1e55797c2e8fd94a4f2a973fc972cfde0e0b05f683667b0cd39dd" +checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49" [[package]] name = "portable-atomic-util" -version = "0.2.4" +version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8a2f0d8d040d7848a709caf78912debcc3f33ee4b3cac47d73d1e1069e83507" +checksum = "7a9db96d7fa8782dd8c15ce32ffe8680bbd1e978a43bf51a34d39483540495f5" dependencies = [ "portable-atomic", ] @@ -4423,8 +4426,8 @@ version = "0.2.37" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b" dependencies = [ - "proc-macro2 1.0.103", - "syn 2.0.111", + "proc-macro2 1.0.106", + "syn 2.0.114", ] [[package]] @@ -4464,8 +4467,8 @@ version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", + "proc-macro2 1.0.106", + "quote 1.0.44", ] [[package]] @@ -4475,9 +4478,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802" dependencies = [ "proc-macro-error-attr2", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -4491,9 +4494,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.103" +version = "1.0.106" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5ee95bc4ef87b8d5ba32e8b7714ccc834865276eab0aed5c9958d00ec45f49e8" +checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934" dependencies = [ "unicode-ident", ] @@ -4544,7 +4547,7 @@ dependencies = [ "prost", "prost-types", "regex", - "syn 2.0.111", + "syn 2.0.114", "tempfile", ] @@ -4556,9 +4559,9 @@ checksum = "81bddcdb20abf9501610992b6759a4c888aef7d1a7247ef75e2404275ac24af1" dependencies = [ "anyhow", "itertools 0.12.1", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -4589,8 +4592,8 @@ dependencies = [ "quinn-udp", "rustc-hash", "rustls", - "socket2 0.6.1", - "thiserror 2.0.17", + "socket2 0.6.2", + "thiserror 2.0.18", "tokio", "tracing", "web-time", @@ -4611,7 +4614,7 @@ dependencies = [ "rustls", "rustls-pki-types", "slab", - "thiserror 2.0.17", + "thiserror 2.0.18", "tinyvec", "tracing", "web-time", @@ -4626,7 +4629,7 @@ dependencies = [ "cfg_aliases", "libc", "once_cell", - "socket2 0.6.1", + "socket2 0.6.2", "tracing", "windows-sys 0.60.2", ] @@ -4642,11 +4645,11 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.42" +version = "1.0.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f" +checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4" dependencies = [ - "proc-macro2 1.0.103", + "proc-macro2 1.0.106", ] [[package]] @@ -4680,7 +4683,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" dependencies = [ "rand_chacha 0.9.0", - "rand_core 0.9.3", + "rand_core 0.9.5", "serde", ] @@ -4701,7 +4704,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb" dependencies = [ "ppv-lite86", - "rand_core 0.9.3", + "rand_core 0.9.5", ] [[package]] @@ -4710,14 +4713,14 @@ version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" dependencies = [ - "getrandom 0.2.16", + "getrandom 0.2.17", ] [[package]] name = "rand_core" -version = "0.9.3" +version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38" +checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c" dependencies = [ "getrandom 0.3.4", "serde", @@ -4739,7 +4742,7 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "513962919efc330f829edb2535844d1b912b0fbe2ca165d613e4e8788bb05a5a" dependencies = [ - "rand_core 0.9.3", + "rand_core 0.9.5", ] [[package]] @@ -4807,9 +4810,9 @@ version = "1.0.25" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -4857,7 +4860,7 @@ dependencies = [ "bytes", "encoding_rs", "futures-core", - "h2 0.4.12", + "h2 0.4.13", "http 1.4.0", "http-body", "http-body-util", @@ -4886,9 +4889,9 @@ dependencies = [ "tower-service", "url", "wasm-bindgen", - "wasm-bindgen-futures 0.4.56", + "wasm-bindgen-futures 0.4.58", "web-sys", - "webpki-roots 1.0.4", + "webpki-roots 1.0.5", ] [[package]] @@ -4909,7 +4912,7 @@ checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7" dependencies = [ "cc", "cfg-if 1.0.4", - "getrandom 0.2.16", + "getrandom 0.2.17", "libc", "untrusted", "windows-sys 0.52.0", @@ -4939,9 +4942,9 @@ dependencies = [ [[package]] name = "ruint" -version = "1.17.0" +version = "1.17.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a68df0380e5c9d20ce49534f292a36a7514ae21350726efe1865bdb1fa91d278" +checksum = "c141e807189ad38a07276942c6623032d3753c8859c146104ac2e4d68865945a" dependencies = [ "alloy-rlp", "ark-ff 0.3.0", @@ -4983,9 +4986,9 @@ dependencies = [ [[package]] name = "rustc-demangle" -version = "0.1.26" +version = "0.1.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "56f7d92ca342cea22a06f2121d944b4fd82af56988c270852495420f961d4ace" +checksum = "b50b8869d9fc858ce7266cce0194bd74df58b9d0e3f6df3a9fc8eb470d95c09d" [[package]] name = "rustc-hash" @@ -5027,14 +5030,14 @@ dependencies = [ "errno", "libc", "linux-raw-sys", - "windows-sys 0.52.0", + "windows-sys 0.61.2", ] [[package]] name = "rustls" -version = "0.23.35" +version = "0.23.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "533f54bc6a7d4f647e46ad909549eda97bf5afc1585190ef692b4286b198bd8f" +checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b" dependencies = [ "once_cell", "ring", @@ -5046,9 +5049,9 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.13.2" +version = "1.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21e6f2ab2928ca4291b86736a8bd920a277a399bba1589409d72154ff87c1282" +checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd" dependencies = [ "web-time", "zeroize", @@ -5056,9 +5059,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.8" +version = "0.103.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2ffdfa2f5286e2247234e03f680868ac2815974dc39e00ea15adc445d0aafe52" +checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53" dependencies = [ "ring", "rustls-pki-types", @@ -5085,21 +5088,9 @@ dependencies = [ [[package]] name = "ryu" -version = "1.0.21" +version = "1.0.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62049b2877bf12821e8f9ad256ee38fdc31db7387ec2d3b3f403024de2034aea" - -[[package]] -name = "safe" -version = "0.1.7" -source = "git+https://github.com/gnosisguild/enclave#54db685297b55d517aa86a6005e77e9a0354af02" -dependencies = [ - "ark-bn254 0.5.0", - "ark-ff 0.5.0", - "hex", - "sha3", - "taceo-poseidon2", -] +checksum = "a50f4cf475b65d88e057964e0e9bb1f0aa9bbb2036dc65c64596b42932536984" [[package]] name = "schannel" @@ -5124,9 +5115,9 @@ dependencies = [ [[package]] name = "schemars" -version = "1.1.0" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9558e172d4e8533736ba97870c4b2cd63f84b382a3d6eb063da41b91cce17289" +checksum = "a2b42f36aa1cd011945615b92222f6bf73c599a102a300334cd7f8dbeec726cc" dependencies = [ "dyn-clone", "ref-cast", @@ -5260,9 +5251,9 @@ version = "1.0.228" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -5308,9 +5299,9 @@ dependencies = [ "chrono", "hex", "indexmap 1.9.3", - "indexmap 2.12.1", + "indexmap 2.13.0", "schemars 0.9.0", - "schemars 1.1.0", + "schemars 1.2.1", "serde", "serde_derive", "serde_json", @@ -5325,9 +5316,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "327ada00f7d64abaac1e55a6911e90cf665aa051b9a561c7006c157f4633135e" dependencies = [ "darling", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -5374,9 +5365,9 @@ dependencies = [ [[package]] name = "sha3-asm" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c28efc5e327c837aa837c59eae585fc250715ef939ac32881bcc11677cd02d46" +checksum = "b31139435f327c93c6038ed350ae4588e2c70a13d50599509fee6349967ba35a" dependencies = [ "cc", "cfg-if 1.0.4", @@ -5396,10 +5387,11 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "signal-hook-registry" -version = "1.4.7" +version = "1.4.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7664a098b8e616bdfcc2dc0e9ac44eb231eedf41db4e9fe95d8d32ec728dedad" +checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b" dependencies = [ + "errno", "libc", ] @@ -5421,9 +5413,9 @@ checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2" [[package]] name = "slab" -version = "0.4.11" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589" +checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5" [[package]] name = "sled" @@ -5462,9 +5454,9 @@ dependencies = [ [[package]] name = "socket2" -version = "0.6.1" +version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17129e116933cf371d018bb80ae557e889637989d8638274fb25622827b03881" +checksum = "86f4aa3ad99f2088c990dfa82d367e19cb29268ed67c574d10d0a4bfe71f07e0" dependencies = [ "libc", "windows-sys 0.60.2", @@ -5520,9 +5512,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7695ce3845ea4b33927c055a39dc438a45b059f7c1b3d91d38d10355fb8cbca7" dependencies = [ "heck", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -5537,32 +5529,32 @@ version = "1.0.109" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", + "proc-macro2 1.0.106", + "quote 1.0.44", "unicode-ident", ] [[package]] name = "syn" -version = "2.0.111" +version = "2.0.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "390cc9a294ab71bdb1aa2e99d13be9c753cd2d7bd6560c77118597410c4d2e87" +checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", + "proc-macro2 1.0.106", + "quote 1.0.44", "unicode-ident", ] [[package]] name = "syn-solidity" -version = "1.5.2" +version = "1.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f92d01b5de07eaf324f7fca61cc6bd3d82bbc1de5b6c963e6fe79e86f36580d" +checksum = "2379beea9476b89d0237078be761cf8e012d92d5ae4ae0c9a329f974838870fc" dependencies = [ "paste", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -5580,16 +5572,16 @@ version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] name = "system-configuration" -version = "0.6.1" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b" +checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b" dependencies = [ "bitflags 2.10.0", "core-foundation", @@ -5627,15 +5619,15 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" [[package]] name = "tempfile" -version = "3.20.0" +version = "3.24.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e8a64e3985349f2441a1a9ef0b853f869006c3855f2cda6862a94d26ebb9d6a1" +checksum = "655da9c7eb6305c55742045d5a8d2037996d61d8de95806335c7c86ce0f82e9c" dependencies = [ "fastrand", "getrandom 0.3.4", "once_cell", "rustix", - "windows-sys 0.52.0", + "windows-sys 0.61.2", ] [[package]] @@ -5649,11 +5641,11 @@ dependencies = [ [[package]] name = "thiserror" -version = "2.0.17" +version = "2.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8" +checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4" dependencies = [ - "thiserror-impl 2.0.17", + "thiserror-impl 2.0.18", ] [[package]] @@ -5662,20 +5654,20 @@ version = "1.0.69" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] name = "thiserror-impl" -version = "2.0.17" +version = "2.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913" +checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -5698,30 +5690,30 @@ dependencies = [ [[package]] name = "time" -version = "0.3.44" +version = "0.3.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91e7d9e3bb61134e77bde20dd4825b97c010155709965fedf0f49bb138e52a9d" +checksum = "f9e442fc33d7fdb45aa9bfeb312c095964abdf596f7567261062b2a7107aaabd" dependencies = [ "deranged", "itoa", "num-conv", "powerfmt", - "serde", + "serde_core", "time-core", "time-macros", ] [[package]] name = "time-core" -version = "0.1.6" +version = "0.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "40868e7c1d2f0b8d73e4a8c7f0ff63af4f6d19be117e90bd73eb1d62cf831c6b" +checksum = "8b36ee98fd31ec7426d599183e8fe26932a8dc1fb76ddb6214d05493377d34ca" [[package]] name = "time-macros" -version = "0.2.24" +version = "0.2.25" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30cfb0125f12d9c277f35663a0a33f8c30190f4e4574868a330595412d34ebf3" +checksum = "71e552d1249bf61ac2a52db88179fd0673def1e1ad8243a00d9ec9ed71fee3dd" dependencies = [ "num-conv", "time-core", @@ -5787,9 +5779,9 @@ version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -5814,9 +5806,9 @@ dependencies = [ [[package]] name = "tokio-stream" -version = "0.1.17" +version = "0.1.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eca58d7bba4a75707817a2c44174253f9236b2d5fbd055602e9d5c07c139a047" +checksum = "32da49809aab5c3bc678af03902d4ccddea2a87d028d86392a4b1560c6906c70" dependencies = [ "futures-core", "pin-project-lite", @@ -5842,9 +5834,9 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.7.17" +version = "0.7.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2efa149fe76073d6e8fd97ef4f4eca7b67f599660115591483572e406e165594" +checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098" dependencies = [ "bytes", "futures-core", @@ -5889,7 +5881,7 @@ version = "0.22.27" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a" dependencies = [ - "indexmap 2.12.1", + "indexmap 2.13.0", "serde", "serde_spanned", "toml_datetime 0.6.11", @@ -5903,7 +5895,7 @@ version = "0.23.10+spec-1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "84c8b9f757e028cee9fa244aea147aab2a9ec09d5325a9b01e0a49730c2b5269" dependencies = [ - "indexmap 2.12.1", + "indexmap 2.13.0", "toml_datetime 0.7.5+spec-1.1.0", "toml_parser", "winnow", @@ -5926,9 +5918,9 @@ checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801" [[package]] name = "tower" -version = "0.5.2" +version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9" +checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4" dependencies = [ "futures-core", "futures-util", @@ -5987,9 +5979,9 @@ version = "0.1.31" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -6022,7 +6014,7 @@ dependencies = [ "rustls", "rustls-pki-types", "sha1", - "thiserror 2.0.17", + "thiserror 2.0.18", "utf-8", ] @@ -6094,13 +6086,14 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" [[package]] name = "url" -version = "2.5.4" +version = "2.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60" +checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed" dependencies = [ "form_urlencoded", "idna", "percent-encoding", + "serde", ] [[package]] @@ -6174,9 +6167,9 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.106" +version = "0.2.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0d759f433fa64a2d763d1340820e46e111a7a5ab75f993d1852d70b03dbb80fd" +checksum = "64024a30ec1e37399cf85a7ffefebdb72205ca1c972291c51512360d90bd8566" dependencies = [ "cfg-if 1.0.4", "once_cell", @@ -6200,11 +6193,12 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.56" +version = "0.4.58" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "836d9622d604feee9e5de25ac10e3ea5f2d65b41eac0d9ce72eb5deae707ce7c" +checksum = "70a6e77fd0ae8029c9ea0063f87c46fde723e7d887703d74ad2616d792e51e6f" dependencies = [ "cfg-if 1.0.4", + "futures-util", "js-sys", "once_cell", "wasm-bindgen", @@ -6213,32 +6207,32 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.106" +version = "0.2.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "48cb0d2638f8baedbc542ed444afc0644a29166f1595371af4fecf8ce1e7eeb3" +checksum = "008b239d9c740232e71bd39e8ef6429d27097518b6b30bdf9086833bd5b6d608" dependencies = [ - "quote 1.0.42", + "quote 1.0.44", "wasm-bindgen-macro-support", ] [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.106" +version = "0.2.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cefb59d5cd5f92d9dcf80e4683949f15ca4b511f4ac0a6e14d4e1ac60c6ecd40" +checksum = "5256bae2d58f54820e6490f9839c49780dff84c65aeab9e772f15d5f0e913a55" dependencies = [ "bumpalo", - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-shared" -version = "0.2.106" +version = "0.2.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cbc538057e648b67f72a982e708d485b2efa771e1ac05fec311f9f63e5800db4" +checksum = "1f01b580c9ac74c8d8f0c0e4afb04eeef2acf145458e52c03845ee9cd23e3d12" dependencies = [ "unicode-ident", ] @@ -6284,9 +6278,9 @@ dependencies = [ [[package]] name = "web-sys" -version = "0.3.83" +version = "0.3.85" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b32828d774c412041098d182a8b38b16ea816958e07cf40eec2bc080ae137ac" +checksum = "312e32e551d92129218ea9a2452120f4aabc03529ef03e4d0d82fb2780608598" dependencies = [ "js-sys", "wasm-bindgen", @@ -6308,14 +6302,14 @@ version = "0.26.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9" dependencies = [ - "webpki-roots 1.0.4", + "webpki-roots 1.0.5", ] [[package]] name = "webpki-roots" -version = "1.0.4" +version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2878ef029c47c6e8cf779119f20fcf52bde7ad42a731b2a304bc221df17571e" +checksum = "12bed680863276c63889429bfd6cab3b99943659923822de1c8a39c49e4d722c" dependencies = [ "rustls-pki-types", ] @@ -6367,9 +6361,9 @@ version = "0.60.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -6378,9 +6372,9 @@ version = "0.59.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -6623,9 +6617,9 @@ dependencies = [ "pharos", "rustc_version 0.4.1", "send_wrapper", - "thiserror 2.0.17", + "thiserror 2.0.18", "wasm-bindgen", - "wasm-bindgen-futures 0.4.56", + "wasm-bindgen-futures 0.4.58", "web-sys", ] @@ -6664,30 +6658,30 @@ version = "0.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", "synstructure", ] [[package]] name = "zerocopy" -version = "0.8.31" +version = "0.8.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd74ec98b9250adb3ca554bdde269adf631549f51d8a8f8f0a10b50f1cb298c3" +checksum = "7456cf00f0685ad319c5b1693f291a650eaf345e941d082fc4e03df8a03996ac" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.8.31" +version = "0.8.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8a8d209fdf45cf5138cbb5a506f6b52522a25afccc534d1475dad8e31105c6a" +checksum = "1328722bbf2115db7e19d69ebcc15e795719e2d66b60827c6a69a117365e37a0" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -6705,30 +6699,30 @@ version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", "synstructure", ] [[package]] name = "zeroize" -version = "1.8.1" +version = "1.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde" +checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0" dependencies = [ "zeroize_derive", ] [[package]] name = "zeroize_derive" -version = "1.4.2" +version = "1.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" +checksum = "85a5b4158499876c763cb03bc4e49185d3cccbabb15b33c627f7884f43db852e" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -6759,9 +6753,9 @@ version = "0.11.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3" dependencies = [ - "proc-macro2 1.0.103", - "quote 1.0.42", - "syn 2.0.111", + "proc-macro2 1.0.106", + "quote 1.0.44", + "syn 2.0.114", ] [[package]] @@ -6770,10 +6764,9 @@ version = "0.1.0" dependencies = [ "ark-bn254 0.5.0", "ark-ff 0.5.0", - "crisp-constants", "e3-bfv-client", "e3-fhe-params", - "e3-polynomial", + "e3-polynomial 0.1.8", "e3-sdk", "e3-zk-helpers", "eyre", @@ -6805,19 +6798,19 @@ dependencies = [ [[package]] name = "zkfhe-greco" version = "0.1.0" -source = "git+https://github.com/gnosisguild/zkfhe-generator#02131ceea13a9ff154a4d8cdd534261dacbfc724" +source = "git+https://github.com/gnosisguild/zkfhe-generator#f93990c3064b636dff0b6efead48a3a4341c90db" dependencies = [ "anyhow", "ark-bn254 0.5.0", "ark-ff 0.5.0", "blake3", + "e3-polynomial 0.1.8 (git+https://github.com/gnosisguild/enclave?branch=main)", "fhe", "fhe-math", "fhe-traits", "itertools 0.14.0", "num-bigint", "num-traits", - "polynomial", "rand 0.8.5", "rayon", "serde", @@ -6830,20 +6823,20 @@ dependencies = [ [[package]] name = "zkfhe-shared" version = "0.1.0" -source = "git+https://github.com/gnosisguild/zkfhe-generator#02131ceea13a9ff154a4d8cdd534261dacbfc724" +source = "git+https://github.com/gnosisguild/zkfhe-generator#f93990c3064b636dff0b6efead48a3a4341c90db" dependencies = [ "anyhow", "ark-bn254 0.5.0", "ark-ff 0.5.0", "chrono", + "e3-polynomial 0.1.8 (git+https://github.com/gnosisguild/enclave?branch=main)", + "e3-safe 0.1.8 (git+https://github.com/gnosisguild/enclave)", "fhe", "fhe-math", "fhe-traits", "num-bigint", "num-traits", - "polynomial", "rand 0.8.5", - "safe", "serde", "serde_json", "thiserror 1.0.69", diff --git a/examples/CRISP/Cargo.toml b/examples/CRISP/Cargo.toml index 217c6c5ca9..59ad063930 100644 --- a/examples/CRISP/Cargo.toml +++ b/examples/CRISP/Cargo.toml @@ -6,7 +6,6 @@ members = [ "crates/zk-inputs", "crates/zk-inputs-wasm", "crates/evm_helpers", - "crates/crisp-constants", "crates/crisp-utils" ] resolver = "3" @@ -20,7 +19,6 @@ repository = "https://github.com/gnosisguild/enclave" [workspace.dependencies] e3-user-program = { path = "./program" } -crisp-constants = { path = "./crates/crisp-constants" } crisp-utils = { path = "./crates/crisp-utils" } alloy = { version = "=1.0.41", features = ["full", "rpc-types-eth"] } diff --git a/examples/CRISP/circuits/src/ciphertext_addition.nr b/examples/CRISP/circuits/src/ciphertext_addition.nr index f7877e093a..611216fa1b 100644 --- a/examples/CRISP/circuits/src/ciphertext_addition.nr +++ b/examples/CRISP/circuits/src/ciphertext_addition.nr @@ -39,7 +39,7 @@ //! 3. Verifies the addition equations hold at these points //! 4. Checks range constraints on all coefficients -use lib::core::greco::Configs as GrecoConfigs; +use lib::core::threshold::user_data_encryption::Configs as UserDataEncryptionConfigs; use lib::math::commitments::compute_commitments; use lib::math::polynomial::Polynomial; @@ -52,7 +52,7 @@ use lib::math::polynomial::Polynomial; /// * `BIT_PREV_CT` - Bit-width bound per coefficient for previous ciphertext polynomials `prev_ct0is`/`prev_ct1is`. /// * `BIT_SUM_CT` - Bit-width bound per coefficient for sum ciphertext polynomials `sum_ct0is`/`sum_ct1is`. pub struct CiphertextAddition { - configs: GrecoConfigs, + configs: UserDataEncryptionConfigs, ct0is: [Polynomial; L], ct1is: [Polynomial; L], ct_commitment: Field, @@ -76,7 +76,7 @@ impl, + configs: UserDataEncryptionConfigs, ct0is: [Polynomial; L], ct1is: [Polynomial; L], ct_commitment: Field, @@ -148,7 +148,7 @@ impl bool { + pub fn execute(self) -> bool { // Step 1: Perform range checks on all polynomial coefficients self.check_range_bounds(); diff --git a/examples/CRISP/circuits/src/main.nr b/examples/CRISP/circuits/src/main.nr index 87865aa74d..4083eb1cfd 100644 --- a/examples/CRISP/circuits/src/main.nr +++ b/examples/CRISP/circuits/src/main.nr @@ -4,11 +4,13 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -use lib::configs::insecure::trbfv::{ - GRECO_BIT_CT, GRECO_BIT_E0, GRECO_BIT_E1, GRECO_BIT_K, GRECO_BIT_P1, GRECO_BIT_P2, GRECO_BIT_PK, - GRECO_BIT_R1, GRECO_BIT_R2, GRECO_BIT_U, GRECO_CONFIGS, L, N, Q_MOD_T_MOD_P, +use lib::configs::insecure::threshold::{ + L, N, Q_MOD_T_MOD_P, USER_DATA_ENCRYPTION_BIT_CT, USER_DATA_ENCRYPTION_BIT_E0, + USER_DATA_ENCRYPTION_BIT_E1, USER_DATA_ENCRYPTION_BIT_K, USER_DATA_ENCRYPTION_BIT_P1, + USER_DATA_ENCRYPTION_BIT_P2, USER_DATA_ENCRYPTION_BIT_PK, USER_DATA_ENCRYPTION_BIT_R1, + USER_DATA_ENCRYPTION_BIT_R2, USER_DATA_ENCRYPTION_BIT_U, USER_DATA_ENCRYPTION_CONFIGS, }; -use lib::core::greco::Greco; +use lib::core::threshold::user_data_encryption::UserDataEncryption; use lib::math::commitments::compute_ciphertext_commitment; use lib::math::polynomial::Polynomial; @@ -121,8 +123,8 @@ fn main( // This check applies to BOTH cases: // - For actual votes: verifies the vote ciphertext is correctly formed // - For mask votes: verifies the zero vote ciphertext is correctly formed - let greco: Greco = Greco::new( - GRECO_CONFIGS, + let user_data_encryption: UserDataEncryption = UserDataEncryption::new( + USER_DATA_ENCRYPTION_CONFIGS, pk_commitment, pk0is, pk1is, @@ -140,7 +142,7 @@ fn main( p2is, ); - assert(greco.verify()); + assert(user_data_encryption.execute()); // ============================================================================ // STEP 3: Vote Type Detection and Return Logic @@ -193,7 +195,7 @@ fn main( compute_ciphertext_commitment::<512, 2, 36>(sum_ct0is, sum_ct1is); let ct_add: CiphertextAddition<512, 2, 36, 36, 36> = CiphertextAddition::new( - GRECO_CONFIGS, + USER_DATA_ENCRYPTION_CONFIGS, ct0is, ct1is, ct_commitment, @@ -208,7 +210,7 @@ fn main( ); assert(prev_ct_commitment == _prev_ct_commitment); - assert(ct_add.verify()); + assert(ct_add.execute()); sum_ct_commitment } diff --git a/examples/CRISP/crates/crisp-constants/Cargo.toml b/examples/CRISP/crates/crisp-constants/Cargo.toml deleted file mode 100644 index 0eda4f5b1c..0000000000 --- a/examples/CRISP/crates/crisp-constants/Cargo.toml +++ /dev/null @@ -1,11 +0,0 @@ -[package] -name = "crisp-constants" -version.workspace = true -edition.workspace = true -license.workspace = true -description.workspace = true -repository.workspace = true - -[dependencies] -e3-sdk = { workspace = true, default-features = false, features=["bfv"] } -e3-fhe-params = { workspace = true } \ No newline at end of file diff --git a/examples/CRISP/crates/crisp-constants/src/lib.rs b/examples/CRISP/crates/crisp-constants/src/lib.rs deleted file mode 100644 index adc0890f47..0000000000 --- a/examples/CRISP/crates/crisp-constants/src/lib.rs +++ /dev/null @@ -1,13 +0,0 @@ -// SPDX-License-Identifier: LGPL-3.0-only -// -// This file is provided WITHOUT ANY WARRANTY; -// without even the implied warranty of MERCHANTABILITY -// or FITNESS FOR A PARTICULAR PURPOSE. - -use e3_fhe_params::{BfvParamSet, BfvPreset}; - -// This could eventually be set here with an environment var once we allow for dynamic circuit selection. -pub fn get_default_paramset() -> BfvParamSet { - // NOTE: parameters are insecure. These parameters are mainly for testing and demonstration - BfvPreset::InsecureThresholdBfv512.into() -} diff --git a/examples/CRISP/crates/zk-inputs/Cargo.toml b/examples/CRISP/crates/zk-inputs/Cargo.toml index bf6e8cd988..80ea9a0c44 100644 --- a/examples/CRISP/crates/zk-inputs/Cargo.toml +++ b/examples/CRISP/crates/zk-inputs/Cargo.toml @@ -8,7 +8,6 @@ description = "Core logic to pre-compute CRISP ZK inputs." [dependencies] e3-sdk = { workspace = true, default-features = false, features=["bfv"] } -crisp-constants.workspace = true fhe.workspace = true fhe-math.workspace = true fhe-traits.workspace = true diff --git a/examples/CRISP/crates/zk-inputs/src/lib.rs b/examples/CRISP/crates/zk-inputs/src/lib.rs index 1404157dcd..bed18ae6d2 100644 --- a/examples/CRISP/crates/zk-inputs/src/lib.rs +++ b/examples/CRISP/crates/zk-inputs/src/lib.rs @@ -8,8 +8,8 @@ //! //! This crate contains the main logic for generating CRISP inputs for zero-knowledge proofs. -use crisp_constants::get_default_paramset; use e3_fhe_params::build_bfv_params_arc; +use e3_fhe_params::default_param_set; use e3_fhe_params::BfvParamSet; use e3_zk_helpers::commitments::compute_ciphertext_commitment; use e3_zk_helpers::utils::calculate_bit_width; @@ -62,7 +62,7 @@ impl ZKInputsGenerator { /// # Returns /// A new ZKInputsGenerator instance with default BFV parameters pub fn with_defaults() -> Self { - Self::from_set(get_default_paramset()) + Self::from_set(default_param_set()) } /// Generates CRISP ZK inputs for a vote encryption and addition operation. @@ -284,7 +284,7 @@ impl ZKInputsGenerator { mod tests { use super::*; use e3_fhe_params::constants::insecure_512; - use e3_fhe_params::BfvPreset; + use e3_fhe_params::{BfvParamSet, BfvPreset}; /// Helper function to create a vote vector with alternating 0s and 1s (deterministic) fn create_vote_vector() -> Vec { @@ -316,7 +316,7 @@ mod tests { #[test] fn test_inputs_generation_with_custom_params() { let generator = - ZKInputsGenerator::from_set(BfvParamSet::from(BfvPreset::InsecureThresholdBfv512)); + ZKInputsGenerator::from_set(BfvParamSet::from(BfvPreset::InsecureThreshold512)); let public_key = generator .generate_public_key() .expect("failed to generate public key"); @@ -361,7 +361,7 @@ mod tests { #[test] fn test_get_bfv_params() { let generator = - ZKInputsGenerator::from_set(BfvParamSet::from(BfvPreset::InsecureThresholdBfv512)); + ZKInputsGenerator::from_set(BfvParamSet::from(BfvPreset::InsecureThreshold512)); let bfv_params = generator.get_bfv_params(); assert!(bfv_params.degree() == insecure_512::DEGREE); diff --git a/examples/CRISP/packages/crisp-contracts/contracts/CRISPVerifier.sol b/examples/CRISP/packages/crisp-contracts/contracts/CRISPVerifier.sol index f21107efac..61f74fbb76 100644 --- a/examples/CRISP/packages/crisp-contracts/contracts/CRISPVerifier.sol +++ b/examples/CRISP/packages/crisp-contracts/contracts/CRISPVerifier.sol @@ -8,145 +8,145 @@ pragma solidity >=0.8.21; uint256 constant N = 524288; uint256 constant LOG_N = 19; uint256 constant NUMBER_OF_PUBLIC_INPUTS = 22; -uint256 constant VK_HASH = 0x084c1dbd3a478acf6065432b799017fb92cc2e06de6373862a1a7578db01fbfb; +uint256 constant VK_HASH = 0x2b0041358baea9b8c5aefe9d8b81e37afb5d47caef0f98834fb622b4c6a5baa4; library HonkVerificationKey { - function loadVerificationKey() internal pure returns (Honk.VerificationKey memory) { - Honk.VerificationKey memory vk = Honk.VerificationKey({ - circuitSize: uint256(524288), - logCircuitSize: uint256(19), - publicInputsSize: uint256(22), - ql: Honk.G1Point({ - x: uint256(0x0d306d1d0c63613a48dc5abe4b2d7d89e680fc23e7bb9d336cfb508f74bcfaf3), - y: uint256(0x29429b5c554e27fcac103767a9f6f2bab4aae92dfb15fd6bc48514e4314faffb) - }), - qr: Honk.G1Point({ - x: uint256(0x12aa83a3bb7c76aa0c9ab474db4e54b58bf32db8a0eb3c8f8f77df9153dad683), - y: uint256(0x1a7319cfed3b28a31452d319dd658b434ed14bbcefa15454a4b5222deb719ac8) - }), - qo: Honk.G1Point({ - x: uint256(0x043209f3c3339044bc2f357345b0cdaa38fff6764c552ab6b594a13508e9f5cb), - y: uint256(0x1154d66255304bf2cf33d5f8c787581f9da9c9fcfec6f27a55fa41c40896cde3) - }), - q4: Honk.G1Point({ - x: uint256(0x25c3c2dd37835eb64ad767434d7dcca998202ea1b40ea8566f1fa5502ca7cdaa), - y: uint256(0x119dd1ff560c0d3166d0077cff431634c26419c4183f51552eb746e41014c78b) - }), - qm: Honk.G1Point({ - x: uint256(0x13d119792e7e750790cf48119095b26413c1441d811ed78bc471374043d6f4f2), - y: uint256(0x0a9c42dc2ec320da7f3be004c85731dfc8de9f97d78e6cdd25e3e0c5aa26e366) - }), - qc: Honk.G1Point({ - x: uint256(0x253d6e099522a46c571c16f013f89a847e18e937b2515fb26a115b21d44b3dd7), - y: uint256(0x2e92543d0491394566f08541590dd3d4bf7a6918bd846fbf7886809266c83174) - }), - qLookup: Honk.G1Point({ - x: uint256(0x111ada27d4243c5df982e1cd77f2d9aff394ba4f2ba2faf8ec1a8e5b6d78d1e7), - y: uint256(0x1cf81a5fe339ef18222213e43155e149d0211317fe0a68d795681f31ef25ad0f) - }), - qArith: Honk.G1Point({ - x: uint256(0x0e6e2cfb84841f47a5fa298f450fd5243d507fcdb00f4c48f1e243cf57049a67), - y: uint256(0x00d9ab0bb955c983e38300c94e5ae861a08885fc8bb305d91e67f11c874a1001) - }), - qDeltaRange: Honk.G1Point({ - x: uint256(0x2ba1b435d3f81aa89afed52806855ff1d8b90c2a7aee4ee8fd52eb625a3b7ebd), - y: uint256(0x0007a55c032aade5d159dd462c04c83e64098ec3c1151d9c8f9eef8f2b1fba05) - }), - qElliptic: Honk.G1Point({ - x: uint256(0x2b24f14283de6577a18ef01dbc9022725fb5c62a82fd8c4713f0e62f6253a595), - y: uint256(0x0d044e82b87a1ad728e0523fb22bc6762e5e0938afc863f91b255cef0bd5af18) - }), - qMemory: Honk.G1Point({ - x: uint256(0x0df15372ccc6ce24c6751d8c896204faef619787c6c02b21978672ecba3d24a7), - y: uint256(0x143888f072a0e5872f7d1e8ac3781f077628ea2d6f2e13025ae7fe2060c4acc4) - }), - qNnf: Honk.G1Point({ - x: uint256(0x1b72e8b6ba56d190a83fa6d1970de92ae5ab6f927bcef54624d9bbbb46dc4e9d), - y: uint256(0x0c97aefa71025d186851d72ed7094b649e2e691ff943f6a6941f1a0bef03351e) - }), - qPoseidon2External: Honk.G1Point({ - x: uint256(0x23d582f227815530d77e689696ed98a5d1fc9f673b8b24397fdae321e6914f8f), - y: uint256(0x270ff538446d18c614d2a48011428aaae8b1a2f8d11d83ce4896af795a9a63f8) - }), - qPoseidon2Internal: Honk.G1Point({ - x: uint256(0x08183c7bc115e1108efc636a0ae1f642aaa943272a215ed2228b1cd77a9f1e3c), - y: uint256(0x21f39dc097acbf0fedd82157aa1aab463983efc62a6c662dc65565403a763daa) - }), - s1: Honk.G1Point({ - x: uint256(0x0040fbe6b6de18f635fbfe6df0390a99dd432b0bb7c570db5e74bf9a070ca7c2), - y: uint256(0x25062102553ab2e993c4e14223952c978de971f23a461e10b9bd04f0fdeab4d5) - }), - s2: Honk.G1Point({ - x: uint256(0x22a3a51c8383d307eebb0fc19bfa4936e2c618e0220229b184918f15987f3e26), - y: uint256(0x27b77c9721777a091171595b7841a7510b2fb232fb7150088d25232d1b06fb79) - }), - s3: Honk.G1Point({ - x: uint256(0x2dcca1266a5c5d36ada653c4763f4117c3195eb90f64a862660955d8c5057996), - y: uint256(0x0731e236fdd155990552885f3fcb1aea9dd2367bedc1b19b76ad0d7e8fc6a940) - }), - s4: Honk.G1Point({ - x: uint256(0x14ad36c110bdde3d7015314b9be1047dc9c680eb68de696f74ec149596132b09), - y: uint256(0x2cb9687e59419594e09a6e5e57b054e31e70d7ff41ab966abcb7922cf9376c0c) - }), - t1: Honk.G1Point({ - x: uint256(0x1f16b037f0b4c96ea2a30a118a44e139881c0db8a4d6c9fde7db5c1c1738e61f), - y: uint256(0x00c7781bda34afc32dedfb0d0f6b16c987c83375da000e180b44ad25685fc2ae) - }), - t2: Honk.G1Point({ - x: uint256(0x29345f914a28707887bee191c3a928191de584827a6d1a78ccce1d7629ca9dc0), - y: uint256(0x1920cebd0b33ac9713424e3bc03d53d79dc72f6afc24c90e56593094a213444c) - }), - t3: Honk.G1Point({ - x: uint256(0x261c990958bc2ef77a45467d9639ab2c68cf787ff7bce55ce3074dfdaedc8f8f), - y: uint256(0x23c1c05424a40360a61e46f4deab04988a6f5b71dda351e0da608cff1f332ee0) - }), - t4: Honk.G1Point({ - x: uint256(0x2b651d2fd644b2972d72ec439dc69d3339d0b052a296bfc48c6a08396aaca078), - y: uint256(0x2d7e8c1ecb92e2490049b50efc811df63f1ca97e58d5e82852dbec0c29715d71) - }), - id1: Honk.G1Point({ - x: uint256(0x103a82e5af3ccf8643340b5f15768479a4782a49162765bc61e6fc846726021c), - y: uint256(0x0dd1ee161e5b8ff32d37fb77678dec1bb40bd4b8cd74858604d3ab6eaaed3310) - }), - id2: Honk.G1Point({ - x: uint256(0x17de68e6aee588fe846863e52d2465668f70642ac0b8fa0fcc3a3604a28e3ec7), - y: uint256(0x1a6fce004d6919a0bfcb90700446fcda044728ac7d372ca53046dec27043c1c3) - }), - id3: Honk.G1Point({ - x: uint256(0x14a6b51bfb858091c94eff6a421fdab3fbc85f2c83822a7eadc8b1a4c4e60a27), - y: uint256(0x1262e534b80be874e870d42a49a16680742ed79775e56423ee5c575ffff49829) - }), - id4: Honk.G1Point({ - x: uint256(0x138bcba7c660c48a5043506dcc3155b6a8e42ac5fbc6740711318258083c4019), - y: uint256(0x27d9d0e5d7fc355126383d930123a4b27c01cb762d9c54b5ff76b0da55a4b0cf) - }), - lagrangeFirst: Honk.G1Point({ - x: uint256(0x0000000000000000000000000000000000000000000000000000000000000001), - y: uint256(0x0000000000000000000000000000000000000000000000000000000000000002) - }), - lagrangeLast: Honk.G1Point({ - x: uint256(0x0acf43d755049cab0c892f5431e112f0f1fc59eaad7fe2a4d5acf910a9ad4ec2), - y: uint256(0x1672c20921ffdc4da8f5357b4a85ba97d3131364017d9a511d7c620c1672b9f7) - }) - }); - return vk; - } + function loadVerificationKey() internal pure returns (Honk.VerificationKey memory) { + Honk.VerificationKey memory vk = Honk.VerificationKey({ + circuitSize: uint256(524288), + logCircuitSize: uint256(19), + publicInputsSize: uint256(22), + ql: Honk.G1Point({ + x: uint256(0x0d306d1d0c63613a48dc5abe4b2d7d89e680fc23e7bb9d336cfb508f74bcfaf3), + y: uint256(0x29429b5c554e27fcac103767a9f6f2bab4aae92dfb15fd6bc48514e4314faffb) + }), + qr: Honk.G1Point({ + x: uint256(0x12aa83a3bb7c76aa0c9ab474db4e54b58bf32db8a0eb3c8f8f77df9153dad683), + y: uint256(0x1a7319cfed3b28a31452d319dd658b434ed14bbcefa15454a4b5222deb719ac8) + }), + qo: Honk.G1Point({ + x: uint256(0x043209f3c3339044bc2f357345b0cdaa38fff6764c552ab6b594a13508e9f5cb), + y: uint256(0x1154d66255304bf2cf33d5f8c787581f9da9c9fcfec6f27a55fa41c40896cde3) + }), + q4: Honk.G1Point({ + x: uint256(0x25c3c2dd37835eb64ad767434d7dcca998202ea1b40ea8566f1fa5502ca7cdaa), + y: uint256(0x119dd1ff560c0d3166d0077cff431634c26419c4183f51552eb746e41014c78b) + }), + qm: Honk.G1Point({ + x: uint256(0x13d119792e7e750790cf48119095b26413c1441d811ed78bc471374043d6f4f2), + y: uint256(0x0a9c42dc2ec320da7f3be004c85731dfc8de9f97d78e6cdd25e3e0c5aa26e366) + }), + qc: Honk.G1Point({ + x: uint256(0x0db38a1631e43c2a46fd673796e30dd05ea573144d7568287c42766e97e27a11), + y: uint256(0x2e07cbcb06ab00c6e66e91073939d6569895e3cf8a9362a7618210293cab7123) + }), + qLookup: Honk.G1Point({ + x: uint256(0x111ada27d4243c5df982e1cd77f2d9aff394ba4f2ba2faf8ec1a8e5b6d78d1e7), + y: uint256(0x1cf81a5fe339ef18222213e43155e149d0211317fe0a68d795681f31ef25ad0f) + }), + qArith: Honk.G1Point({ + x: uint256(0x0e6e2cfb84841f47a5fa298f450fd5243d507fcdb00f4c48f1e243cf57049a67), + y: uint256(0x00d9ab0bb955c983e38300c94e5ae861a08885fc8bb305d91e67f11c874a1001) + }), + qDeltaRange: Honk.G1Point({ + x: uint256(0x2ba1b435d3f81aa89afed52806855ff1d8b90c2a7aee4ee8fd52eb625a3b7ebd), + y: uint256(0x0007a55c032aade5d159dd462c04c83e64098ec3c1151d9c8f9eef8f2b1fba05) + }), + qElliptic: Honk.G1Point({ + x: uint256(0x2b24f14283de6577a18ef01dbc9022725fb5c62a82fd8c4713f0e62f6253a595), + y: uint256(0x0d044e82b87a1ad728e0523fb22bc6762e5e0938afc863f91b255cef0bd5af18) + }), + qMemory: Honk.G1Point({ + x: uint256(0x0df15372ccc6ce24c6751d8c896204faef619787c6c02b21978672ecba3d24a7), + y: uint256(0x143888f072a0e5872f7d1e8ac3781f077628ea2d6f2e13025ae7fe2060c4acc4) + }), + qNnf: Honk.G1Point({ + x: uint256(0x1b72e8b6ba56d190a83fa6d1970de92ae5ab6f927bcef54624d9bbbb46dc4e9d), + y: uint256(0x0c97aefa71025d186851d72ed7094b649e2e691ff943f6a6941f1a0bef03351e) + }), + qPoseidon2External: Honk.G1Point({ + x: uint256(0x23d582f227815530d77e689696ed98a5d1fc9f673b8b24397fdae321e6914f8f), + y: uint256(0x270ff538446d18c614d2a48011428aaae8b1a2f8d11d83ce4896af795a9a63f8) + }), + qPoseidon2Internal: Honk.G1Point({ + x: uint256(0x08183c7bc115e1108efc636a0ae1f642aaa943272a215ed2228b1cd77a9f1e3c), + y: uint256(0x21f39dc097acbf0fedd82157aa1aab463983efc62a6c662dc65565403a763daa) + }), + s1: Honk.G1Point({ + x: uint256(0x0040fbe6b6de18f635fbfe6df0390a99dd432b0bb7c570db5e74bf9a070ca7c2), + y: uint256(0x25062102553ab2e993c4e14223952c978de971f23a461e10b9bd04f0fdeab4d5) + }), + s2: Honk.G1Point({ + x: uint256(0x22a3a51c8383d307eebb0fc19bfa4936e2c618e0220229b184918f15987f3e26), + y: uint256(0x27b77c9721777a091171595b7841a7510b2fb232fb7150088d25232d1b06fb79) + }), + s3: Honk.G1Point({ + x: uint256(0x2dcca1266a5c5d36ada653c4763f4117c3195eb90f64a862660955d8c5057996), + y: uint256(0x0731e236fdd155990552885f3fcb1aea9dd2367bedc1b19b76ad0d7e8fc6a940) + }), + s4: Honk.G1Point({ + x: uint256(0x14ad36c110bdde3d7015314b9be1047dc9c680eb68de696f74ec149596132b09), + y: uint256(0x2cb9687e59419594e09a6e5e57b054e31e70d7ff41ab966abcb7922cf9376c0c) + }), + t1: Honk.G1Point({ + x: uint256(0x1f16b037f0b4c96ea2a30a118a44e139881c0db8a4d6c9fde7db5c1c1738e61f), + y: uint256(0x00c7781bda34afc32dedfb0d0f6b16c987c83375da000e180b44ad25685fc2ae) + }), + t2: Honk.G1Point({ + x: uint256(0x29345f914a28707887bee191c3a928191de584827a6d1a78ccce1d7629ca9dc0), + y: uint256(0x1920cebd0b33ac9713424e3bc03d53d79dc72f6afc24c90e56593094a213444c) + }), + t3: Honk.G1Point({ + x: uint256(0x261c990958bc2ef77a45467d9639ab2c68cf787ff7bce55ce3074dfdaedc8f8f), + y: uint256(0x23c1c05424a40360a61e46f4deab04988a6f5b71dda351e0da608cff1f332ee0) + }), + t4: Honk.G1Point({ + x: uint256(0x2b651d2fd644b2972d72ec439dc69d3339d0b052a296bfc48c6a08396aaca078), + y: uint256(0x2d7e8c1ecb92e2490049b50efc811df63f1ca97e58d5e82852dbec0c29715d71) + }), + id1: Honk.G1Point({ + x: uint256(0x103a82e5af3ccf8643340b5f15768479a4782a49162765bc61e6fc846726021c), + y: uint256(0x0dd1ee161e5b8ff32d37fb77678dec1bb40bd4b8cd74858604d3ab6eaaed3310) + }), + id2: Honk.G1Point({ + x: uint256(0x17de68e6aee588fe846863e52d2465668f70642ac0b8fa0fcc3a3604a28e3ec7), + y: uint256(0x1a6fce004d6919a0bfcb90700446fcda044728ac7d372ca53046dec27043c1c3) + }), + id3: Honk.G1Point({ + x: uint256(0x14a6b51bfb858091c94eff6a421fdab3fbc85f2c83822a7eadc8b1a4c4e60a27), + y: uint256(0x1262e534b80be874e870d42a49a16680742ed79775e56423ee5c575ffff49829) + }), + id4: Honk.G1Point({ + x: uint256(0x138bcba7c660c48a5043506dcc3155b6a8e42ac5fbc6740711318258083c4019), + y: uint256(0x27d9d0e5d7fc355126383d930123a4b27c01cb762d9c54b5ff76b0da55a4b0cf) + }), + lagrangeFirst: Honk.G1Point({ + x: uint256(0x0000000000000000000000000000000000000000000000000000000000000001), + y: uint256(0x0000000000000000000000000000000000000000000000000000000000000002) + }), + lagrangeLast: Honk.G1Point({ + x: uint256(0x0acf43d755049cab0c892f5431e112f0f1fc59eaad7fe2a4d5acf910a9ad4ec2), + y: uint256(0x1672c20921ffdc4da8f5357b4a85ba97d3131364017d9a511d7c620c1672b9f7) + }) + }); + return vk; + } } pragma solidity ^0.8.27; interface IVerifier { - function verify(bytes calldata _proof, bytes32[] calldata _publicInputs) external returns (bool); + function verify(bytes calldata _proof, bytes32[] calldata _publicInputs) external returns (bool); } type Fr is uint256; -using { add as + } for Fr global; -using { sub as - } for Fr global; -using { mul as * } for Fr global; +using {add as +} for Fr global; +using {sub as -} for Fr global; +using {mul as *} for Fr global; -using { exp as ^ } for Fr global; -using { notEqual as != } for Fr global; -using { equal as == } for Fr global; +using {exp as ^} for Fr global; +using {notEqual as !=} for Fr global; +using {equal as ==} for Fr global; uint256 constant SUBGROUP_SIZE = 256; uint256 constant MODULUS = 21888242871839275222246405745257275088548364400416034343698204186575808495617; // Prime field order @@ -159,135 +159,135 @@ Fr constant ZERO = Fr.wrap(0); // Instantiation library FrLib { - function from(uint256 value) internal pure returns (Fr) { - unchecked { - return Fr.wrap(value % MODULUS); - } - } - - function fromBytes32(bytes32 value) internal pure returns (Fr) { - unchecked { - return Fr.wrap(uint256(value) % MODULUS); - } - } - - function toBytes32(Fr value) internal pure returns (bytes32) { - unchecked { - return bytes32(Fr.unwrap(value)); - } - } - - function invert(Fr value) internal view returns (Fr) { - uint256 v = Fr.unwrap(value); - uint256 result; - - // Call the modexp precompile to invert in the field - assembly { - let free := mload(0x40) - mstore(free, 0x20) - mstore(add(free, 0x20), 0x20) - mstore(add(free, 0x40), 0x20) - mstore(add(free, 0x60), v) - mstore(add(free, 0x80), sub(MODULUS, 2)) - mstore(add(free, 0xa0), MODULUS) - let success := staticcall(gas(), 0x05, free, 0xc0, 0x00, 0x20) - if iszero(success) { - revert(0, 0) - } - result := mload(0x00) - mstore(0x40, add(free, 0x80)) - } - - return Fr.wrap(result); - } - - function pow(Fr base, uint256 v) internal view returns (Fr) { - uint256 b = Fr.unwrap(base); - uint256 result; - - // Call the modexp precompile to invert in the field - assembly { - let free := mload(0x40) - mstore(free, 0x20) - mstore(add(free, 0x20), 0x20) - mstore(add(free, 0x40), 0x20) - mstore(add(free, 0x60), b) - mstore(add(free, 0x80), v) - mstore(add(free, 0xa0), MODULUS) - let success := staticcall(gas(), 0x05, free, 0xc0, 0x00, 0x20) - if iszero(success) { - revert(0, 0) - } - result := mload(0x00) - mstore(0x40, add(free, 0x80)) - } - - return Fr.wrap(result); - } - - function div(Fr numerator, Fr denominator) internal view returns (Fr) { - unchecked { - return numerator * invert(denominator); + function from(uint256 value) internal pure returns (Fr) { + unchecked { + return Fr.wrap(value % MODULUS); + } + } + + function fromBytes32(bytes32 value) internal pure returns (Fr) { + unchecked { + return Fr.wrap(uint256(value) % MODULUS); + } + } + + function toBytes32(Fr value) internal pure returns (bytes32) { + unchecked { + return bytes32(Fr.unwrap(value)); + } + } + + function invert(Fr value) internal view returns (Fr) { + uint256 v = Fr.unwrap(value); + uint256 result; + + // Call the modexp precompile to invert in the field + assembly { + let free := mload(0x40) + mstore(free, 0x20) + mstore(add(free, 0x20), 0x20) + mstore(add(free, 0x40), 0x20) + mstore(add(free, 0x60), v) + mstore(add(free, 0x80), sub(MODULUS, 2)) + mstore(add(free, 0xa0), MODULUS) + let success := staticcall(gas(), 0x05, free, 0xc0, 0x00, 0x20) + if iszero(success) { + revert(0, 0) + } + result := mload(0x00) + mstore(0x40, add(free, 0x80)) + } + + return Fr.wrap(result); + } + + function pow(Fr base, uint256 v) internal view returns (Fr) { + uint256 b = Fr.unwrap(base); + uint256 result; + + // Call the modexp precompile to invert in the field + assembly { + let free := mload(0x40) + mstore(free, 0x20) + mstore(add(free, 0x20), 0x20) + mstore(add(free, 0x40), 0x20) + mstore(add(free, 0x60), b) + mstore(add(free, 0x80), v) + mstore(add(free, 0xa0), MODULUS) + let success := staticcall(gas(), 0x05, free, 0xc0, 0x00, 0x20) + if iszero(success) { + revert(0, 0) + } + result := mload(0x00) + mstore(0x40, add(free, 0x80)) + } + + return Fr.wrap(result); + } + + function div(Fr numerator, Fr denominator) internal view returns (Fr) { + unchecked { + return numerator * invert(denominator); + } + } + + function sqr(Fr value) internal pure returns (Fr) { + unchecked { + return value * value; + } + } + + function unwrap(Fr value) internal pure returns (uint256) { + unchecked { + return Fr.unwrap(value); + } + } + + function neg(Fr value) internal pure returns (Fr) { + unchecked { + return Fr.wrap(MODULUS - Fr.unwrap(value)); + } } - } - - function sqr(Fr value) internal pure returns (Fr) { - unchecked { - return value * value; - } - } - - function unwrap(Fr value) internal pure returns (uint256) { - unchecked { - return Fr.unwrap(value); - } - } - - function neg(Fr value) internal pure returns (Fr) { - unchecked { - return Fr.wrap(MODULUS - Fr.unwrap(value)); - } - } } // Free functions function add(Fr a, Fr b) pure returns (Fr) { - unchecked { - return Fr.wrap(addmod(Fr.unwrap(a), Fr.unwrap(b), MODULUS)); - } + unchecked { + return Fr.wrap(addmod(Fr.unwrap(a), Fr.unwrap(b), MODULUS)); + } } function mul(Fr a, Fr b) pure returns (Fr) { - unchecked { - return Fr.wrap(mulmod(Fr.unwrap(a), Fr.unwrap(b), MODULUS)); - } + unchecked { + return Fr.wrap(mulmod(Fr.unwrap(a), Fr.unwrap(b), MODULUS)); + } } function sub(Fr a, Fr b) pure returns (Fr) { - unchecked { - return Fr.wrap(addmod(Fr.unwrap(a), MODULUS - Fr.unwrap(b), MODULUS)); - } + unchecked { + return Fr.wrap(addmod(Fr.unwrap(a), MODULUS - Fr.unwrap(b), MODULUS)); + } } function exp(Fr base, Fr exponent) pure returns (Fr) { - if (Fr.unwrap(exponent) == 0) return Fr.wrap(1); - // Implement exponent with a loop as we will overflow otherwise - for (uint256 i = 1; i < Fr.unwrap(exponent); i += i) { - base = base * base; - } - return base; + if (Fr.unwrap(exponent) == 0) return Fr.wrap(1); + // Implement exponent with a loop as we will overflow otherwise + for (uint256 i = 1; i < Fr.unwrap(exponent); i += i) { + base = base * base; + } + return base; } function notEqual(Fr a, Fr b) pure returns (bool) { - unchecked { - return Fr.unwrap(a) != Fr.unwrap(b); - } + unchecked { + return Fr.unwrap(a) != Fr.unwrap(b); + } } function equal(Fr a, Fr b) pure returns (bool) { - unchecked { - return Fr.unwrap(a) == Fr.unwrap(b); - } + unchecked { + return Fr.unwrap(a) == Fr.unwrap(b); + } } uint256 constant CONST_PROOF_SIZE_LOG_N = 28; @@ -308,1325 +308,1332 @@ uint256 constant NUMBER_OF_ALPHAS = NUMBER_OF_SUBRELATIONS - 1; // ENUM FOR WIRES enum WIRE { - Q_M, - Q_C, - Q_L, - Q_R, - Q_O, - Q_4, - Q_LOOKUP, - Q_ARITH, - Q_RANGE, - Q_ELLIPTIC, - Q_MEMORY, - Q_NNF, - Q_POSEIDON2_EXTERNAL, - Q_POSEIDON2_INTERNAL, - SIGMA_1, - SIGMA_2, - SIGMA_3, - SIGMA_4, - ID_1, - ID_2, - ID_3, - ID_4, - TABLE_1, - TABLE_2, - TABLE_3, - TABLE_4, - LAGRANGE_FIRST, - LAGRANGE_LAST, - W_L, - W_R, - W_O, - W_4, - Z_PERM, - LOOKUP_INVERSES, - LOOKUP_READ_COUNTS, - LOOKUP_READ_TAGS, - W_L_SHIFT, - W_R_SHIFT, - W_O_SHIFT, - W_4_SHIFT, - Z_PERM_SHIFT + Q_M, + Q_C, + Q_L, + Q_R, + Q_O, + Q_4, + Q_LOOKUP, + Q_ARITH, + Q_RANGE, + Q_ELLIPTIC, + Q_MEMORY, + Q_NNF, + Q_POSEIDON2_EXTERNAL, + Q_POSEIDON2_INTERNAL, + SIGMA_1, + SIGMA_2, + SIGMA_3, + SIGMA_4, + ID_1, + ID_2, + ID_3, + ID_4, + TABLE_1, + TABLE_2, + TABLE_3, + TABLE_4, + LAGRANGE_FIRST, + LAGRANGE_LAST, + W_L, + W_R, + W_O, + W_4, + Z_PERM, + LOOKUP_INVERSES, + LOOKUP_READ_COUNTS, + LOOKUP_READ_TAGS, + W_L_SHIFT, + W_R_SHIFT, + W_O_SHIFT, + W_4_SHIFT, + Z_PERM_SHIFT } library Honk { - struct G1Point { - uint256 x; - uint256 y; - } - - struct VerificationKey { - // Misc Params - uint256 circuitSize; - uint256 logCircuitSize; - uint256 publicInputsSize; - // Selectors - G1Point qm; - G1Point qc; - G1Point ql; - G1Point qr; - G1Point qo; - G1Point q4; - G1Point qLookup; // Lookup - G1Point qArith; // Arithmetic widget - G1Point qDeltaRange; // Delta Range sort - G1Point qMemory; // Memory - G1Point qNnf; // Non-native Field - G1Point qElliptic; // Auxillary - G1Point qPoseidon2External; - G1Point qPoseidon2Internal; - // Copy cnstraints - G1Point s1; - G1Point s2; - G1Point s3; - G1Point s4; - // Copy identity - G1Point id1; - G1Point id2; - G1Point id3; - G1Point id4; - // Precomputed lookup table - G1Point t1; - G1Point t2; - G1Point t3; - G1Point t4; - // Fixed first and last - G1Point lagrangeFirst; - G1Point lagrangeLast; - } - - struct RelationParameters { - // challenges - Fr eta; - Fr etaTwo; - Fr etaThree; - Fr beta; - Fr gamma; - // derived - Fr publicInputsDelta; - } - - struct Proof { - // Pairing point object - Fr[PAIRING_POINTS_SIZE] pairingPointObject; - // Free wires - G1Point w1; - G1Point w2; - G1Point w3; - G1Point w4; - // Lookup helpers - Permutations - G1Point zPerm; - // Lookup helpers - logup - G1Point lookupReadCounts; - G1Point lookupReadTags; - G1Point lookupInverses; - // Sumcheck - Fr[BATCHED_RELATION_PARTIAL_LENGTH][CONST_PROOF_SIZE_LOG_N] sumcheckUnivariates; - Fr[NUMBER_OF_ENTITIES] sumcheckEvaluations; - // Shplemini - G1Point[CONST_PROOF_SIZE_LOG_N - 1] geminiFoldComms; - Fr[CONST_PROOF_SIZE_LOG_N] geminiAEvaluations; - G1Point shplonkQ; - G1Point kzgQuotient; - } - - struct ZKProof { - // Pairing point object - Fr[PAIRING_POINTS_SIZE] pairingPointObject; - // Commitments to wire polynomials - G1Point w1; - G1Point w2; - G1Point w3; - G1Point w4; - // Commitments to logup witness polynomials - G1Point lookupReadCounts; - G1Point lookupReadTags; - G1Point lookupInverses; - // Commitment to grand permutation polynomial - G1Point zPerm; - G1Point[3] libraCommitments; - // Sumcheck - Fr libraSum; - Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH][CONST_PROOF_SIZE_LOG_N] sumcheckUnivariates; - Fr[NUMBER_OF_ENTITIES] sumcheckEvaluations; - Fr libraEvaluation; - // ZK - G1Point geminiMaskingPoly; - Fr geminiMaskingEval; - // Shplemini - G1Point[CONST_PROOF_SIZE_LOG_N - 1] geminiFoldComms; - Fr[CONST_PROOF_SIZE_LOG_N] geminiAEvaluations; - Fr[4] libraPolyEvals; - G1Point shplonkQ; - G1Point kzgQuotient; - } + struct G1Point { + uint256 x; + uint256 y; + } + + struct VerificationKey { + // Misc Params + uint256 circuitSize; + uint256 logCircuitSize; + uint256 publicInputsSize; + // Selectors + G1Point qm; + G1Point qc; + G1Point ql; + G1Point qr; + G1Point qo; + G1Point q4; + G1Point qLookup; // Lookup + G1Point qArith; // Arithmetic widget + G1Point qDeltaRange; // Delta Range sort + G1Point qMemory; // Memory + G1Point qNnf; // Non-native Field + G1Point qElliptic; // Auxillary + G1Point qPoseidon2External; + G1Point qPoseidon2Internal; + // Copy cnstraints + G1Point s1; + G1Point s2; + G1Point s3; + G1Point s4; + // Copy identity + G1Point id1; + G1Point id2; + G1Point id3; + G1Point id4; + // Precomputed lookup table + G1Point t1; + G1Point t2; + G1Point t3; + G1Point t4; + // Fixed first and last + G1Point lagrangeFirst; + G1Point lagrangeLast; + } + + struct RelationParameters { + // challenges + Fr eta; + Fr etaTwo; + Fr etaThree; + Fr beta; + Fr gamma; + // derived + Fr publicInputsDelta; + } + + struct Proof { + // Pairing point object + Fr[PAIRING_POINTS_SIZE] pairingPointObject; + // Free wires + G1Point w1; + G1Point w2; + G1Point w3; + G1Point w4; + // Lookup helpers - Permutations + G1Point zPerm; + // Lookup helpers - logup + G1Point lookupReadCounts; + G1Point lookupReadTags; + G1Point lookupInverses; + // Sumcheck + Fr[BATCHED_RELATION_PARTIAL_LENGTH][CONST_PROOF_SIZE_LOG_N] sumcheckUnivariates; + Fr[NUMBER_OF_ENTITIES] sumcheckEvaluations; + // Shplemini + G1Point[CONST_PROOF_SIZE_LOG_N - 1] geminiFoldComms; + Fr[CONST_PROOF_SIZE_LOG_N] geminiAEvaluations; + G1Point shplonkQ; + G1Point kzgQuotient; + } + + struct ZKProof { + // Pairing point object + Fr[PAIRING_POINTS_SIZE] pairingPointObject; + // Commitments to wire polynomials + G1Point w1; + G1Point w2; + G1Point w3; + G1Point w4; + // Commitments to logup witness polynomials + G1Point lookupReadCounts; + G1Point lookupReadTags; + G1Point lookupInverses; + // Commitment to grand permutation polynomial + G1Point zPerm; + G1Point[3] libraCommitments; + // Sumcheck + Fr libraSum; + Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH][CONST_PROOF_SIZE_LOG_N] sumcheckUnivariates; + Fr[NUMBER_OF_ENTITIES] sumcheckEvaluations; + Fr libraEvaluation; + // ZK + G1Point geminiMaskingPoly; + Fr geminiMaskingEval; + // Shplemini + G1Point[CONST_PROOF_SIZE_LOG_N - 1] geminiFoldComms; + Fr[CONST_PROOF_SIZE_LOG_N] geminiAEvaluations; + Fr[4] libraPolyEvals; + G1Point shplonkQ; + G1Point kzgQuotient; + } } // ZKTranscript library to generate fiat shamir challenges, the ZK transcript only differest struct ZKTranscript { - // Oink - Honk.RelationParameters relationParameters; - Fr[NUMBER_OF_ALPHAS] alphas; - Fr[CONST_PROOF_SIZE_LOG_N] gateChallenges; - // Sumcheck - Fr libraChallenge; - Fr[CONST_PROOF_SIZE_LOG_N] sumCheckUChallenges; - // Shplemini - Fr rho; - Fr geminiR; - Fr shplonkNu; - Fr shplonkZ; - // Derived - Fr publicInputsDelta; + // Oink + Honk.RelationParameters relationParameters; + Fr[NUMBER_OF_ALPHAS] alphas; + Fr[CONST_PROOF_SIZE_LOG_N] gateChallenges; + // Sumcheck + Fr libraChallenge; + Fr[CONST_PROOF_SIZE_LOG_N] sumCheckUChallenges; + // Shplemini + Fr rho; + Fr geminiR; + Fr shplonkNu; + Fr shplonkZ; + // Derived + Fr publicInputsDelta; } library ZKTranscriptLib { - function generateTranscript( - Honk.ZKProof memory proof, - bytes32[] calldata publicInputs, - uint256 vkHash, - uint256 publicInputsSize, - uint256 logN - ) external pure returns (ZKTranscript memory t) { - Fr previousChallenge; - (t.relationParameters, previousChallenge) = generateRelationParametersChallenges( - proof, - publicInputs, - vkHash, - publicInputsSize, - previousChallenge - ); - - (t.alphas, previousChallenge) = generateAlphaChallenges(previousChallenge, proof); - - (t.gateChallenges, previousChallenge) = generateGateChallenges(previousChallenge, logN); - (t.libraChallenge, previousChallenge) = generateLibraChallenge(previousChallenge, proof); - (t.sumCheckUChallenges, previousChallenge) = generateSumcheckChallenges(proof, previousChallenge, logN); - - (t.rho, previousChallenge) = generateRhoChallenge(proof, previousChallenge); - - (t.geminiR, previousChallenge) = generateGeminiRChallenge(proof, previousChallenge, logN); - - (t.shplonkNu, previousChallenge) = generateShplonkNuChallenge(proof, previousChallenge, logN); - - (t.shplonkZ, previousChallenge) = generateShplonkZChallenge(proof, previousChallenge); - return t; - } - - function splitChallenge(Fr challenge) internal pure returns (Fr first, Fr second) { - uint256 challengeU256 = uint256(Fr.unwrap(challenge)); - uint256 lo = challengeU256 & 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; - uint256 hi = challengeU256 >> 128; - first = FrLib.fromBytes32(bytes32(lo)); - second = FrLib.fromBytes32(bytes32(hi)); - } - - function generateRelationParametersChallenges( - Honk.ZKProof memory proof, - bytes32[] calldata publicInputs, - uint256 vkHash, - uint256 publicInputsSize, - Fr previousChallenge - ) internal pure returns (Honk.RelationParameters memory rp, Fr nextPreviousChallenge) { - (rp.eta, rp.etaTwo, rp.etaThree, previousChallenge) = generateEtaChallenge(proof, publicInputs, vkHash, publicInputsSize); - - (rp.beta, rp.gamma, nextPreviousChallenge) = generateBetaAndGammaChallenges(previousChallenge, proof); - } - - function generateEtaChallenge( - Honk.ZKProof memory proof, - bytes32[] calldata publicInputs, - uint256 vkHash, - uint256 publicInputsSize - ) internal pure returns (Fr eta, Fr etaTwo, Fr etaThree, Fr previousChallenge) { - bytes32[] memory round0 = new bytes32[](1 + publicInputsSize + 6); - round0[0] = bytes32(vkHash); - - for (uint256 i = 0; i < publicInputsSize - PAIRING_POINTS_SIZE; i++) { - round0[1 + i] = bytes32(publicInputs[i]); - } - for (uint256 i = 0; i < PAIRING_POINTS_SIZE; i++) { - round0[1 + publicInputsSize - PAIRING_POINTS_SIZE + i] = FrLib.toBytes32(proof.pairingPointObject[i]); - } - - // Create the first challenge - // Note: w4 is added to the challenge later on - round0[1 + publicInputsSize] = bytes32(proof.w1.x); - round0[1 + publicInputsSize + 1] = bytes32(proof.w1.y); - round0[1 + publicInputsSize + 2] = bytes32(proof.w2.x); - round0[1 + publicInputsSize + 3] = bytes32(proof.w2.y); - round0[1 + publicInputsSize + 4] = bytes32(proof.w3.x); - round0[1 + publicInputsSize + 5] = bytes32(proof.w3.y); - - previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(round0))); - (eta, etaTwo) = splitChallenge(previousChallenge); - previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(previousChallenge)))); - - (etaThree, ) = splitChallenge(previousChallenge); - } - - function generateBetaAndGammaChallenges( - Fr previousChallenge, - Honk.ZKProof memory proof - ) internal pure returns (Fr beta, Fr gamma, Fr nextPreviousChallenge) { - bytes32[7] memory round1; - round1[0] = FrLib.toBytes32(previousChallenge); - round1[1] = bytes32(proof.lookupReadCounts.x); - round1[2] = bytes32(proof.lookupReadCounts.y); - round1[3] = bytes32(proof.lookupReadTags.x); - round1[4] = bytes32(proof.lookupReadTags.y); - round1[5] = bytes32(proof.w4.x); - round1[6] = bytes32(proof.w4.y); - - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(round1))); - (beta, gamma) = splitChallenge(nextPreviousChallenge); - } - - // Alpha challenges non-linearise the gate contributions - function generateAlphaChallenges( - Fr previousChallenge, - Honk.ZKProof memory proof - ) internal pure returns (Fr[NUMBER_OF_ALPHAS] memory alphas, Fr nextPreviousChallenge) { - // Generate the original sumcheck alpha 0 by hashing zPerm and zLookup - uint256[5] memory alpha0; - alpha0[0] = Fr.unwrap(previousChallenge); - alpha0[1] = proof.lookupInverses.x; - alpha0[2] = proof.lookupInverses.y; - alpha0[3] = proof.zPerm.x; - alpha0[4] = proof.zPerm.y; - - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(alpha0))); - Fr alpha; - (alpha, ) = splitChallenge(nextPreviousChallenge); - - // Compute powers of alpha for batching subrelations - alphas[0] = alpha; - for (uint256 i = 1; i < NUMBER_OF_ALPHAS; i++) { - alphas[i] = alphas[i - 1] * alpha; - } - } - - function generateGateChallenges( - Fr previousChallenge, - uint256 logN - ) internal pure returns (Fr[CONST_PROOF_SIZE_LOG_N] memory gateChallenges, Fr nextPreviousChallenge) { - previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(previousChallenge)))); - (gateChallenges[0], ) = splitChallenge(previousChallenge); - for (uint256 i = 1; i < logN; i++) { - gateChallenges[i] = gateChallenges[i - 1] * gateChallenges[i - 1]; - } - nextPreviousChallenge = previousChallenge; - } - - function generateLibraChallenge( - Fr previousChallenge, - Honk.ZKProof memory proof - ) internal pure returns (Fr libraChallenge, Fr nextPreviousChallenge) { - // 2 comm, 1 sum, 1 challenge - uint256[4] memory challengeData; - challengeData[0] = Fr.unwrap(previousChallenge); - challengeData[1] = proof.libraCommitments[0].x; - challengeData[2] = proof.libraCommitments[0].y; - challengeData[3] = Fr.unwrap(proof.libraSum); - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(challengeData))); - (libraChallenge, ) = splitChallenge(nextPreviousChallenge); - } - - function generateSumcheckChallenges( - Honk.ZKProof memory proof, - Fr prevChallenge, - uint256 logN - ) internal pure returns (Fr[CONST_PROOF_SIZE_LOG_N] memory sumcheckChallenges, Fr nextPreviousChallenge) { - for (uint256 i = 0; i < logN; i++) { - Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH + 1] memory univariateChal; - univariateChal[0] = prevChallenge; - - for (uint256 j = 0; j < ZK_BATCHED_RELATION_PARTIAL_LENGTH; j++) { - univariateChal[j + 1] = proof.sumcheckUnivariates[i][j]; - } - prevChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(univariateChal))); - - (sumcheckChallenges[i], ) = splitChallenge(prevChallenge); - } - nextPreviousChallenge = prevChallenge; - } - - // We add Libra claimed eval + 3 comm + 1 more eval - function generateRhoChallenge(Honk.ZKProof memory proof, Fr prevChallenge) internal pure returns (Fr rho, Fr nextPreviousChallenge) { - uint256[NUMBER_OF_ENTITIES + 9] memory rhoChallengeElements; - rhoChallengeElements[0] = Fr.unwrap(prevChallenge); - uint256 i; - for (i = 1; i <= NUMBER_OF_ENTITIES; i++) { - rhoChallengeElements[i] = Fr.unwrap(proof.sumcheckEvaluations[i - 1]); - } - rhoChallengeElements[i] = Fr.unwrap(proof.libraEvaluation); - - i += 1; - rhoChallengeElements[i] = proof.libraCommitments[1].x; - rhoChallengeElements[i + 1] = proof.libraCommitments[1].y; - i += 2; - rhoChallengeElements[i] = proof.libraCommitments[2].x; - rhoChallengeElements[i + 1] = proof.libraCommitments[2].y; - i += 2; - rhoChallengeElements[i] = proof.geminiMaskingPoly.x; - rhoChallengeElements[i + 1] = proof.geminiMaskingPoly.y; - - i += 2; - rhoChallengeElements[i] = Fr.unwrap(proof.geminiMaskingEval); - - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(rhoChallengeElements))); - (rho, ) = splitChallenge(nextPreviousChallenge); - } - - function generateGeminiRChallenge( - Honk.ZKProof memory proof, - Fr prevChallenge, - uint256 logN - ) internal pure returns (Fr geminiR, Fr nextPreviousChallenge) { - uint256[] memory gR = new uint256[]((logN - 1) * 2 + 1); - gR[0] = Fr.unwrap(prevChallenge); - - for (uint256 i = 0; i < logN - 1; i++) { - gR[1 + i * 2] = proof.geminiFoldComms[i].x; - gR[2 + i * 2] = proof.geminiFoldComms[i].y; - } - - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(gR))); - - (geminiR, ) = splitChallenge(nextPreviousChallenge); - } - - function generateShplonkNuChallenge( - Honk.ZKProof memory proof, - Fr prevChallenge, - uint256 logN - ) internal pure returns (Fr shplonkNu, Fr nextPreviousChallenge) { - uint256[] memory shplonkNuChallengeElements = new uint256[](logN + 1 + 4); - shplonkNuChallengeElements[0] = Fr.unwrap(prevChallenge); - - for (uint256 i = 1; i <= logN; i++) { - shplonkNuChallengeElements[i] = Fr.unwrap(proof.geminiAEvaluations[i - 1]); - } - - uint256 libraIdx = 0; - for (uint256 i = logN + 1; i <= logN + 4; i++) { - shplonkNuChallengeElements[i] = Fr.unwrap(proof.libraPolyEvals[libraIdx]); - libraIdx++; - } - - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(shplonkNuChallengeElements))); - (shplonkNu, ) = splitChallenge(nextPreviousChallenge); - } - - function generateShplonkZChallenge( - Honk.ZKProof memory proof, - Fr prevChallenge - ) internal pure returns (Fr shplonkZ, Fr nextPreviousChallenge) { - uint256[3] memory shplonkZChallengeElements; - shplonkZChallengeElements[0] = Fr.unwrap(prevChallenge); - - shplonkZChallengeElements[1] = proof.shplonkQ.x; - shplonkZChallengeElements[2] = proof.shplonkQ.y; - - nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(shplonkZChallengeElements))); - (shplonkZ, ) = splitChallenge(nextPreviousChallenge); - } - - function loadProof(bytes calldata proof, uint256 logN) internal pure returns (Honk.ZKProof memory p) { - uint256 boundary = 0x0; - - // Pairing point object - for (uint256 i = 0; i < PAIRING_POINTS_SIZE; i++) { - p.pairingPointObject[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); - boundary += FIELD_ELEMENT_SIZE; - } - // Commitments - p.w1 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - p.w2 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - p.w3 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - - // Lookup / Permutation Helper Commitments - p.lookupReadCounts = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - p.lookupReadTags = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - p.w4 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - p.lookupInverses = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - p.zPerm = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - p.libraCommitments[0] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - - p.libraSum = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); - boundary += FIELD_ELEMENT_SIZE; - // Sumcheck univariates - for (uint256 i = 0; i < logN; i++) { - for (uint256 j = 0; j < ZK_BATCHED_RELATION_PARTIAL_LENGTH; j++) { - p.sumcheckUnivariates[i][j] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); - boundary += FIELD_ELEMENT_SIZE; - } - } - - // Sumcheck evaluations - for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) { - p.sumcheckEvaluations[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); - boundary += FIELD_ELEMENT_SIZE; - } - - p.libraEvaluation = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); - boundary += FIELD_ELEMENT_SIZE; - - p.libraCommitments[1] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - p.libraCommitments[2] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - p.geminiMaskingPoly = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - p.geminiMaskingEval = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); - boundary += FIELD_ELEMENT_SIZE; - - // Gemini - // Read gemini fold univariates - for (uint256 i = 0; i < logN - 1; i++) { - p.geminiFoldComms[i] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - } - - // Read gemini a evaluations - for (uint256 i = 0; i < logN; i++) { - p.geminiAEvaluations[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); - boundary += FIELD_ELEMENT_SIZE; - } - - for (uint256 i = 0; i < 4; i++) { - p.libraPolyEvals[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); - boundary += FIELD_ELEMENT_SIZE; - } - - // Shplonk - p.shplonkQ = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - boundary += GROUP_ELEMENT_SIZE; - // KZG - p.kzgQuotient = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); - } -} - -// Field arithmetic libraries - -library RelationsLib { - Fr internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = Fr.wrap(17); // -(-17) - - function accumulateRelationEvaluations( - Fr[NUMBER_OF_ENTITIES] memory purportedEvaluations, - Honk.RelationParameters memory rp, - Fr[NUMBER_OF_ALPHAS] memory alphas, - Fr powPartialEval - ) internal pure returns (Fr accumulator) { - Fr[NUMBER_OF_SUBRELATIONS] memory evaluations; - - // Accumulate all relations in Ultra Honk - each with varying number of subrelations - accumulateArithmeticRelation(purportedEvaluations, evaluations, powPartialEval); - accumulatePermutationRelation(purportedEvaluations, rp, evaluations, powPartialEval); - accumulateLogDerivativeLookupRelation(purportedEvaluations, rp, evaluations, powPartialEval); - accumulateDeltaRangeRelation(purportedEvaluations, evaluations, powPartialEval); - accumulateEllipticRelation(purportedEvaluations, evaluations, powPartialEval); - accumulateMemoryRelation(purportedEvaluations, rp, evaluations, powPartialEval); - accumulateNnfRelation(purportedEvaluations, evaluations, powPartialEval); - accumulatePoseidonExternalRelation(purportedEvaluations, evaluations, powPartialEval); - accumulatePoseidonInternalRelation(purportedEvaluations, evaluations, powPartialEval); - - // batch the subrelations with the alpha challenges to obtain the full honk relation - accumulator = scaleAndBatchSubrelations(evaluations, alphas); - } - - /** - * Aesthetic helper function that is used to index by enum into proof.sumcheckEvaluations, it avoids - * the relation checking code being cluttered with uint256 type casting, which is often a different colour in code - * editors, and thus is noisy. - */ - function wire(Fr[NUMBER_OF_ENTITIES] memory p, WIRE _wire) internal pure returns (Fr) { - return p[uint256(_wire)]; - } - - uint256 internal constant NEG_HALF_MODULO_P = 0x183227397098d014dc2822db40c0ac2e9419f4243cdcb848a1f0fac9f8000000; - /** - * Ultra Arithmetic Relation - * - */ - - function accumulateArithmeticRelation( - Fr[NUMBER_OF_ENTITIES] memory p, - Fr[NUMBER_OF_SUBRELATIONS] memory evals, - Fr domainSep - ) internal pure { - // Relation 0 - Fr q_arith = wire(p, WIRE.Q_ARITH); + function generateTranscript( + Honk.ZKProof memory proof, + bytes32[] calldata publicInputs, + uint256 vkHash, + uint256 publicInputsSize, + uint256 logN + ) external pure returns (ZKTranscript memory t) { + Fr previousChallenge; + (t.relationParameters, previousChallenge) = + generateRelationParametersChallenges(proof, publicInputs, vkHash, publicInputsSize, previousChallenge); + + (t.alphas, previousChallenge) = generateAlphaChallenges(previousChallenge, proof); + + (t.gateChallenges, previousChallenge) = generateGateChallenges(previousChallenge, logN); + (t.libraChallenge, previousChallenge) = generateLibraChallenge(previousChallenge, proof); + (t.sumCheckUChallenges, previousChallenge) = generateSumcheckChallenges(proof, previousChallenge, logN); + + (t.rho, previousChallenge) = generateRhoChallenge(proof, previousChallenge); + + (t.geminiR, previousChallenge) = generateGeminiRChallenge(proof, previousChallenge, logN); + + (t.shplonkNu, previousChallenge) = generateShplonkNuChallenge(proof, previousChallenge, logN); + + (t.shplonkZ, previousChallenge) = generateShplonkZChallenge(proof, previousChallenge); + return t; + } + + function splitChallenge(Fr challenge) internal pure returns (Fr first, Fr second) { + uint256 challengeU256 = uint256(Fr.unwrap(challenge)); + uint256 lo = challengeU256 & 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; + uint256 hi = challengeU256 >> 128; + first = FrLib.fromBytes32(bytes32(lo)); + second = FrLib.fromBytes32(bytes32(hi)); + } + + function generateRelationParametersChallenges( + Honk.ZKProof memory proof, + bytes32[] calldata publicInputs, + uint256 vkHash, + uint256 publicInputsSize, + Fr previousChallenge + ) internal pure returns (Honk.RelationParameters memory rp, Fr nextPreviousChallenge) { + (rp.eta, rp.etaTwo, rp.etaThree, previousChallenge) = + generateEtaChallenge(proof, publicInputs, vkHash, publicInputsSize); + + (rp.beta, rp.gamma, nextPreviousChallenge) = generateBetaAndGammaChallenges(previousChallenge, proof); + } + + function generateEtaChallenge( + Honk.ZKProof memory proof, + bytes32[] calldata publicInputs, + uint256 vkHash, + uint256 publicInputsSize + ) internal pure returns (Fr eta, Fr etaTwo, Fr etaThree, Fr previousChallenge) { + bytes32[] memory round0 = new bytes32[](1 + publicInputsSize + 6); + round0[0] = bytes32(vkHash); + + for (uint256 i = 0; i < publicInputsSize - PAIRING_POINTS_SIZE; i++) { + round0[1 + i] = bytes32(publicInputs[i]); + } + for (uint256 i = 0; i < PAIRING_POINTS_SIZE; i++) { + round0[1 + publicInputsSize - PAIRING_POINTS_SIZE + i] = FrLib.toBytes32(proof.pairingPointObject[i]); + } + + // Create the first challenge + // Note: w4 is added to the challenge later on + round0[1 + publicInputsSize] = bytes32(proof.w1.x); + round0[1 + publicInputsSize + 1] = bytes32(proof.w1.y); + round0[1 + publicInputsSize + 2] = bytes32(proof.w2.x); + round0[1 + publicInputsSize + 3] = bytes32(proof.w2.y); + round0[1 + publicInputsSize + 4] = bytes32(proof.w3.x); + round0[1 + publicInputsSize + 5] = bytes32(proof.w3.y); + + previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(round0))); + (eta, etaTwo) = splitChallenge(previousChallenge); + previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(previousChallenge)))); + + (etaThree,) = splitChallenge(previousChallenge); + } + + function generateBetaAndGammaChallenges(Fr previousChallenge, Honk.ZKProof memory proof) + internal + pure + returns (Fr beta, Fr gamma, Fr nextPreviousChallenge) { - Fr neg_half = Fr.wrap(NEG_HALF_MODULO_P); - - Fr accum = (q_arith - Fr.wrap(3)) * (wire(p, WIRE.Q_M) * wire(p, WIRE.W_R) * wire(p, WIRE.W_L)) * neg_half; - accum = - accum + - (wire(p, WIRE.Q_L) * wire(p, WIRE.W_L)) + - (wire(p, WIRE.Q_R) * wire(p, WIRE.W_R)) + - (wire(p, WIRE.Q_O) * wire(p, WIRE.W_O)) + - (wire(p, WIRE.Q_4) * wire(p, WIRE.W_4)) + - wire(p, WIRE.Q_C); - accum = accum + (q_arith - ONE) * wire(p, WIRE.W_4_SHIFT); - accum = accum * q_arith; - accum = accum * domainSep; - evals[0] = accum; - } - - // Relation 1 + bytes32[7] memory round1; + round1[0] = FrLib.toBytes32(previousChallenge); + round1[1] = bytes32(proof.lookupReadCounts.x); + round1[2] = bytes32(proof.lookupReadCounts.y); + round1[3] = bytes32(proof.lookupReadTags.x); + round1[4] = bytes32(proof.lookupReadTags.y); + round1[5] = bytes32(proof.w4.x); + round1[6] = bytes32(proof.w4.y); + + nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(round1))); + (beta, gamma) = splitChallenge(nextPreviousChallenge); + } + + // Alpha challenges non-linearise the gate contributions + function generateAlphaChallenges(Fr previousChallenge, Honk.ZKProof memory proof) + internal + pure + returns (Fr[NUMBER_OF_ALPHAS] memory alphas, Fr nextPreviousChallenge) { - Fr accum = wire(p, WIRE.W_L) + wire(p, WIRE.W_4) - wire(p, WIRE.W_L_SHIFT) + wire(p, WIRE.Q_M); - accum = accum * (q_arith - Fr.wrap(2)); - accum = accum * (q_arith - ONE); - accum = accum * q_arith; - accum = accum * domainSep; - evals[1] = accum; - } - } - - function accumulatePermutationRelation( - Fr[NUMBER_OF_ENTITIES] memory p, - Honk.RelationParameters memory rp, - Fr[NUMBER_OF_SUBRELATIONS] memory evals, - Fr domainSep - ) internal pure { - Fr grand_product_numerator; - Fr grand_product_denominator; - + // Generate the original sumcheck alpha 0 by hashing zPerm and zLookup + uint256[5] memory alpha0; + alpha0[0] = Fr.unwrap(previousChallenge); + alpha0[1] = proof.lookupInverses.x; + alpha0[2] = proof.lookupInverses.y; + alpha0[3] = proof.zPerm.x; + alpha0[4] = proof.zPerm.y; + + nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(alpha0))); + Fr alpha; + (alpha,) = splitChallenge(nextPreviousChallenge); + + // Compute powers of alpha for batching subrelations + alphas[0] = alpha; + for (uint256 i = 1; i < NUMBER_OF_ALPHAS; i++) { + alphas[i] = alphas[i - 1] * alpha; + } + } + + function generateGateChallenges(Fr previousChallenge, uint256 logN) + internal + pure + returns (Fr[CONST_PROOF_SIZE_LOG_N] memory gateChallenges, Fr nextPreviousChallenge) { - Fr num = wire(p, WIRE.W_L) + wire(p, WIRE.ID_1) * rp.beta + rp.gamma; - num = num * (wire(p, WIRE.W_R) + wire(p, WIRE.ID_2) * rp.beta + rp.gamma); - num = num * (wire(p, WIRE.W_O) + wire(p, WIRE.ID_3) * rp.beta + rp.gamma); - num = num * (wire(p, WIRE.W_4) + wire(p, WIRE.ID_4) * rp.beta + rp.gamma); - - grand_product_numerator = num; - } + previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(previousChallenge)))); + (gateChallenges[0],) = splitChallenge(previousChallenge); + for (uint256 i = 1; i < logN; i++) { + gateChallenges[i] = gateChallenges[i - 1] * gateChallenges[i - 1]; + } + nextPreviousChallenge = previousChallenge; + } + + function generateLibraChallenge(Fr previousChallenge, Honk.ZKProof memory proof) + internal + pure + returns (Fr libraChallenge, Fr nextPreviousChallenge) { - Fr den = wire(p, WIRE.W_L) + wire(p, WIRE.SIGMA_1) * rp.beta + rp.gamma; - den = den * (wire(p, WIRE.W_R) + wire(p, WIRE.SIGMA_2) * rp.beta + rp.gamma); - den = den * (wire(p, WIRE.W_O) + wire(p, WIRE.SIGMA_3) * rp.beta + rp.gamma); - den = den * (wire(p, WIRE.W_4) + wire(p, WIRE.SIGMA_4) * rp.beta + rp.gamma); - - grand_product_denominator = den; - } - - // Contribution 2 + // 2 comm, 1 sum, 1 challenge + uint256[4] memory challengeData; + challengeData[0] = Fr.unwrap(previousChallenge); + challengeData[1] = proof.libraCommitments[0].x; + challengeData[2] = proof.libraCommitments[0].y; + challengeData[3] = Fr.unwrap(proof.libraSum); + nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(challengeData))); + (libraChallenge,) = splitChallenge(nextPreviousChallenge); + } + + function generateSumcheckChallenges(Honk.ZKProof memory proof, Fr prevChallenge, uint256 logN) + internal + pure + returns (Fr[CONST_PROOF_SIZE_LOG_N] memory sumcheckChallenges, Fr nextPreviousChallenge) { - Fr acc = (wire(p, WIRE.Z_PERM) + wire(p, WIRE.LAGRANGE_FIRST)) * grand_product_numerator; + for (uint256 i = 0; i < logN; i++) { + Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH + 1] memory univariateChal; + univariateChal[0] = prevChallenge; - acc = acc - ((wire(p, WIRE.Z_PERM_SHIFT) + (wire(p, WIRE.LAGRANGE_LAST) * rp.publicInputsDelta)) * grand_product_denominator); - acc = acc * domainSep; - evals[2] = acc; - } + for (uint256 j = 0; j < ZK_BATCHED_RELATION_PARTIAL_LENGTH; j++) { + univariateChal[j + 1] = proof.sumcheckUnivariates[i][j]; + } + prevChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(univariateChal))); - // Contribution 3 - { - Fr acc = (wire(p, WIRE.LAGRANGE_LAST) * wire(p, WIRE.Z_PERM_SHIFT)) * domainSep; - evals[3] = acc; + (sumcheckChallenges[i],) = splitChallenge(prevChallenge); + } + nextPreviousChallenge = prevChallenge; } - } - - function accumulateLogDerivativeLookupRelation( - Fr[NUMBER_OF_ENTITIES] memory p, - Honk.RelationParameters memory rp, - Fr[NUMBER_OF_SUBRELATIONS] memory evals, - Fr domainSep - ) internal pure { - Fr write_term; - Fr read_term; - // Calculate the write term (the table accumulation) + // We add Libra claimed eval + 3 comm + 1 more eval + function generateRhoChallenge(Honk.ZKProof memory proof, Fr prevChallenge) + internal + pure + returns (Fr rho, Fr nextPreviousChallenge) { - write_term = - wire(p, WIRE.TABLE_1) + - rp.gamma + - (wire(p, WIRE.TABLE_2) * rp.eta) + - (wire(p, WIRE.TABLE_3) * rp.etaTwo) + - (wire(p, WIRE.TABLE_4) * rp.etaThree); - } - - // Calculate the write term + uint256[NUMBER_OF_ENTITIES + 9] memory rhoChallengeElements; + rhoChallengeElements[0] = Fr.unwrap(prevChallenge); + uint256 i; + for (i = 1; i <= NUMBER_OF_ENTITIES; i++) { + rhoChallengeElements[i] = Fr.unwrap(proof.sumcheckEvaluations[i - 1]); + } + rhoChallengeElements[i] = Fr.unwrap(proof.libraEvaluation); + + i += 1; + rhoChallengeElements[i] = proof.libraCommitments[1].x; + rhoChallengeElements[i + 1] = proof.libraCommitments[1].y; + i += 2; + rhoChallengeElements[i] = proof.libraCommitments[2].x; + rhoChallengeElements[i + 1] = proof.libraCommitments[2].y; + i += 2; + rhoChallengeElements[i] = proof.geminiMaskingPoly.x; + rhoChallengeElements[i + 1] = proof.geminiMaskingPoly.y; + + i += 2; + rhoChallengeElements[i] = Fr.unwrap(proof.geminiMaskingEval); + + nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(rhoChallengeElements))); + (rho,) = splitChallenge(nextPreviousChallenge); + } + + function generateGeminiRChallenge(Honk.ZKProof memory proof, Fr prevChallenge, uint256 logN) + internal + pure + returns (Fr geminiR, Fr nextPreviousChallenge) { - Fr derived_entry_1 = wire(p, WIRE.W_L) + rp.gamma + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_L_SHIFT)); - Fr derived_entry_2 = wire(p, WIRE.W_R) + wire(p, WIRE.Q_M) * wire(p, WIRE.W_R_SHIFT); - Fr derived_entry_3 = wire(p, WIRE.W_O) + wire(p, WIRE.Q_C) * wire(p, WIRE.W_O_SHIFT); - - read_term = derived_entry_1 + (derived_entry_2 * rp.eta) + (derived_entry_3 * rp.etaTwo) + (wire(p, WIRE.Q_O) * rp.etaThree); - } - - Fr read_inverse = wire(p, WIRE.LOOKUP_INVERSES) * write_term; - Fr write_inverse = wire(p, WIRE.LOOKUP_INVERSES) * read_term; - - Fr inverse_exists_xor = wire(p, WIRE.LOOKUP_READ_TAGS) + - wire(p, WIRE.Q_LOOKUP) - - (wire(p, WIRE.LOOKUP_READ_TAGS) * wire(p, WIRE.Q_LOOKUP)); - - // Inverse calculated correctly relation - Fr accumulatorNone = read_term * write_term * wire(p, WIRE.LOOKUP_INVERSES) - inverse_exists_xor; - accumulatorNone = accumulatorNone * domainSep; - - // Inverse - Fr accumulatorOne = wire(p, WIRE.Q_LOOKUP) * read_inverse - wire(p, WIRE.LOOKUP_READ_COUNTS) * write_inverse; - - Fr read_tag = wire(p, WIRE.LOOKUP_READ_TAGS); - - Fr read_tag_boolean_relation = read_tag * read_tag - read_tag; + uint256[] memory gR = new uint256[]((logN - 1) * 2 + 1); + gR[0] = Fr.unwrap(prevChallenge); - evals[4] = accumulatorNone; - evals[5] = accumulatorOne; - evals[6] = read_tag_boolean_relation * domainSep; - } + for (uint256 i = 0; i < logN - 1; i++) { + gR[1 + i * 2] = proof.geminiFoldComms[i].x; + gR[2 + i * 2] = proof.geminiFoldComms[i].y; + } - function accumulateDeltaRangeRelation( - Fr[NUMBER_OF_ENTITIES] memory p, - Fr[NUMBER_OF_SUBRELATIONS] memory evals, - Fr domainSep - ) internal pure { - Fr minus_one = ZERO - ONE; - Fr minus_two = ZERO - Fr.wrap(2); - Fr minus_three = ZERO - Fr.wrap(3); + nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(gR))); - // Compute wire differences - Fr delta_1 = wire(p, WIRE.W_R) - wire(p, WIRE.W_L); - Fr delta_2 = wire(p, WIRE.W_O) - wire(p, WIRE.W_R); - Fr delta_3 = wire(p, WIRE.W_4) - wire(p, WIRE.W_O); - Fr delta_4 = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_4); - - // Contribution 6 - { - Fr acc = delta_1; - acc = acc * (delta_1 + minus_one); - acc = acc * (delta_1 + minus_two); - acc = acc * (delta_1 + minus_three); - acc = acc * wire(p, WIRE.Q_RANGE); - acc = acc * domainSep; - evals[7] = acc; + (geminiR,) = splitChallenge(nextPreviousChallenge); } - // Contribution 7 + function generateShplonkNuChallenge(Honk.ZKProof memory proof, Fr prevChallenge, uint256 logN) + internal + pure + returns (Fr shplonkNu, Fr nextPreviousChallenge) { - Fr acc = delta_2; - acc = acc * (delta_2 + minus_one); - acc = acc * (delta_2 + minus_two); - acc = acc * (delta_2 + minus_three); - acc = acc * wire(p, WIRE.Q_RANGE); - acc = acc * domainSep; - evals[8] = acc; - } + uint256[] memory shplonkNuChallengeElements = new uint256[](logN + 1 + 4); + shplonkNuChallengeElements[0] = Fr.unwrap(prevChallenge); - // Contribution 8 - { - Fr acc = delta_3; - acc = acc * (delta_3 + minus_one); - acc = acc * (delta_3 + minus_two); - acc = acc * (delta_3 + minus_three); - acc = acc * wire(p, WIRE.Q_RANGE); - acc = acc * domainSep; - evals[9] = acc; - } + for (uint256 i = 1; i <= logN; i++) { + shplonkNuChallengeElements[i] = Fr.unwrap(proof.geminiAEvaluations[i - 1]); + } - // Contribution 9 - { - Fr acc = delta_4; - acc = acc * (delta_4 + minus_one); - acc = acc * (delta_4 + minus_two); - acc = acc * (delta_4 + minus_three); - acc = acc * wire(p, WIRE.Q_RANGE); - acc = acc * domainSep; - evals[10] = acc; - } - } - - struct EllipticParams { - // Points - Fr x_1; - Fr y_1; - Fr x_2; - Fr y_2; - Fr y_3; - Fr x_3; - // push accumulators into memory - Fr x_double_identity; - } - - function accumulateEllipticRelation( - Fr[NUMBER_OF_ENTITIES] memory p, - Fr[NUMBER_OF_SUBRELATIONS] memory evals, - Fr domainSep - ) internal pure { - EllipticParams memory ep; - ep.x_1 = wire(p, WIRE.W_R); - ep.y_1 = wire(p, WIRE.W_O); - - ep.x_2 = wire(p, WIRE.W_L_SHIFT); - ep.y_2 = wire(p, WIRE.W_4_SHIFT); - ep.y_3 = wire(p, WIRE.W_O_SHIFT); - ep.x_3 = wire(p, WIRE.W_R_SHIFT); - - Fr q_sign = wire(p, WIRE.Q_L); - Fr q_is_double = wire(p, WIRE.Q_M); - - // Contribution 10 point addition, x-coordinate check - // q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0 - Fr x_diff = (ep.x_2 - ep.x_1); - Fr y1_sqr = (ep.y_1 * ep.y_1); - { - // Move to top - Fr partialEval = domainSep; - - Fr y2_sqr = (ep.y_2 * ep.y_2); - Fr y1y2 = ep.y_1 * ep.y_2 * q_sign; - Fr x_add_identity = (ep.x_3 + ep.x_2 + ep.x_1); - x_add_identity = x_add_identity * x_diff * x_diff; - x_add_identity = x_add_identity - y2_sqr - y1_sqr + y1y2 + y1y2; - - evals[11] = x_add_identity * partialEval * wire(p, WIRE.Q_ELLIPTIC) * (ONE - q_is_double); - } + uint256 libraIdx = 0; + for (uint256 i = logN + 1; i <= logN + 4; i++) { + shplonkNuChallengeElements[i] = Fr.unwrap(proof.libraPolyEvals[libraIdx]); + libraIdx++; + } - // Contribution 11 point addition, x-coordinate check - // q_elliptic * (q_sign * y1 + y3)(x2 - x1) + (x3 - x1)(y2 - q_sign * y1) = 0 - { - Fr y1_plus_y3 = ep.y_1 + ep.y_3; - Fr y_diff = ep.y_2 * q_sign - ep.y_1; - Fr y_add_identity = y1_plus_y3 * x_diff + (ep.x_3 - ep.x_1) * y_diff; - evals[12] = y_add_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * (ONE - q_is_double); + nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(shplonkNuChallengeElements))); + (shplonkNu,) = splitChallenge(nextPreviousChallenge); } - // Contribution 10 point doubling, x-coordinate check - // (x3 + x1 + x1) (4y1*y1) - 9 * x1 * x1 * x1 * x1 = 0 - // N.B. we're using the equivalence x1*x1*x1 === y1*y1 - curve_b to reduce degree by 1 + function generateShplonkZChallenge(Honk.ZKProof memory proof, Fr prevChallenge) + internal + pure + returns (Fr shplonkZ, Fr nextPreviousChallenge) { - Fr x_pow_4 = (y1_sqr + GRUMPKIN_CURVE_B_PARAMETER_NEGATED) * ep.x_1; - Fr y1_sqr_mul_4 = y1_sqr + y1_sqr; - y1_sqr_mul_4 = y1_sqr_mul_4 + y1_sqr_mul_4; - Fr x1_pow_4_mul_9 = x_pow_4 * Fr.wrap(9); + uint256[3] memory shplonkZChallengeElements; + shplonkZChallengeElements[0] = Fr.unwrap(prevChallenge); + + shplonkZChallengeElements[1] = proof.shplonkQ.x; + shplonkZChallengeElements[2] = proof.shplonkQ.y; + + nextPreviousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(shplonkZChallengeElements))); + (shplonkZ,) = splitChallenge(nextPreviousChallenge); + } + + function loadProof(bytes calldata proof, uint256 logN) internal pure returns (Honk.ZKProof memory p) { + uint256 boundary = 0x0; + + // Pairing point object + for (uint256 i = 0; i < PAIRING_POINTS_SIZE; i++) { + p.pairingPointObject[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); + boundary += FIELD_ELEMENT_SIZE; + } + // Commitments + p.w1 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + p.w2 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + p.w3 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + + // Lookup / Permutation Helper Commitments + p.lookupReadCounts = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + p.lookupReadTags = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + p.w4 = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + p.lookupInverses = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + p.zPerm = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + p.libraCommitments[0] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + + p.libraSum = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); + boundary += FIELD_ELEMENT_SIZE; + // Sumcheck univariates + for (uint256 i = 0; i < logN; i++) { + for (uint256 j = 0; j < ZK_BATCHED_RELATION_PARTIAL_LENGTH; j++) { + p.sumcheckUnivariates[i][j] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); + boundary += FIELD_ELEMENT_SIZE; + } + } + + // Sumcheck evaluations + for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) { + p.sumcheckEvaluations[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); + boundary += FIELD_ELEMENT_SIZE; + } + + p.libraEvaluation = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); + boundary += FIELD_ELEMENT_SIZE; - // NOTE: pushed into memory (stack >:'( ) - ep.x_double_identity = (ep.x_3 + ep.x_1 + ep.x_1) * y1_sqr_mul_4 - x1_pow_4_mul_9; + p.libraCommitments[1] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + p.libraCommitments[2] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + p.geminiMaskingPoly = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + p.geminiMaskingEval = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); + boundary += FIELD_ELEMENT_SIZE; - Fr acc = ep.x_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double; - evals[11] = evals[11] + acc; + // Gemini + // Read gemini fold univariates + for (uint256 i = 0; i < logN - 1; i++) { + p.geminiFoldComms[i] = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + } + + // Read gemini a evaluations + for (uint256 i = 0; i < logN; i++) { + p.geminiAEvaluations[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); + boundary += FIELD_ELEMENT_SIZE; + } + + for (uint256 i = 0; i < 4; i++) { + p.libraPolyEvals[i] = bytesToFr(proof[boundary:boundary + FIELD_ELEMENT_SIZE]); + boundary += FIELD_ELEMENT_SIZE; + } + + // Shplonk + p.shplonkQ = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); + boundary += GROUP_ELEMENT_SIZE; + // KZG + p.kzgQuotient = bytesToG1Point(proof[boundary:boundary + GROUP_ELEMENT_SIZE]); } +} - // Contribution 11 point doubling, y-coordinate check - // (y1 + y1) (2y1) - (3 * x1 * x1)(x1 - x3) = 0 - { - Fr x1_sqr_mul_3 = (ep.x_1 + ep.x_1 + ep.x_1) * ep.x_1; - Fr y_double_identity = x1_sqr_mul_3 * (ep.x_1 - ep.x_3) - (ep.y_1 + ep.y_1) * (ep.y_1 + ep.y_3); - evals[12] = evals[12] + y_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double; - } - } - - // Parameters used within the Memory Relation - // A struct is used to work around stack too deep. This relation has alot of variables - struct MemParams { - Fr memory_record_check; - Fr partial_record_check; - Fr next_gate_access_type; - Fr record_delta; - Fr index_delta; - Fr adjacent_values_match_if_adjacent_indices_match; - Fr adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation; - Fr access_check; - Fr next_gate_access_type_is_boolean; - Fr ROM_consistency_check_identity; - Fr RAM_consistency_check_identity; - Fr timestamp_delta; - Fr RAM_timestamp_check_identity; - Fr memory_identity; - Fr index_is_monotonically_increasing; - } - - function accumulateMemoryRelation( - Fr[NUMBER_OF_ENTITIES] memory p, - Honk.RelationParameters memory rp, - Fr[NUMBER_OF_SUBRELATIONS] memory evals, - Fr domainSep - ) internal pure { - MemParams memory ap; - - /** - * MEMORY - * - * A RAM memory record contains a tuple of the following fields: - * * i: `index` of memory cell being accessed - * * t: `timestamp` of memory cell being accessed (used for RAM, set to 0 for ROM) - * * v: `value` of memory cell being accessed - * * a: `access` type of record. read: 0 = read, 1 = write - * * r: `record` of memory cell. record = access + index * eta + timestamp * eta_two + value * eta_three - * - * A ROM memory record contains a tuple of the following fields: - * * i: `index` of memory cell being accessed - * * v: `value1` of memory cell being accessed (ROM tables can store up to 2 values per index) - * * v2:`value2` of memory cell being accessed (ROM tables can store up to 2 values per index) - * * r: `record` of memory cell. record = index * eta + value2 * eta_two + value1 * eta_three - * - * When performing a read/write access, the values of i, t, v, v2, a, r are stored in the following wires + - * selectors, depending on whether the gate is a RAM read/write or a ROM read - * - * | gate type | i | v2/t | v | a | r | - * | --------- | -- | ----- | -- | -- | -- | - * | ROM | w1 | w2 | w3 | -- | w4 | - * | RAM | w1 | w2 | w3 | qc | w4 | - * - * (for accesses where `index` is a circuit constant, it is assumed the circuit will apply a copy constraint on - * `w2` to fix its value) - * - * - */ - - /** - * Memory Record Check - * Partial degree: 1 - * Total degree: 4 - * - * A ROM/ROM access gate can be evaluated with the identity: - * - * qc + w1 \eta + w2 \eta_two + w3 \eta_three - w4 = 0 - * - * For ROM gates, qc = 0 - */ - ap.memory_record_check = wire(p, WIRE.W_O) * rp.etaThree; - ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_R) * rp.etaTwo); - ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_L) * rp.eta); - ap.memory_record_check = ap.memory_record_check + wire(p, WIRE.Q_C); - ap.partial_record_check = ap.memory_record_check; // used in RAM consistency check; deg 1 or 4 - ap.memory_record_check = ap.memory_record_check - wire(p, WIRE.W_4); - - /** - * Contribution 13 & 14 - * ROM Consistency Check - * Partial degree: 1 - * Total degree: 4 - * - * For every ROM read, a set equivalence check is applied between the record witnesses, and a second set of - * records that are sorted. - * - * We apply the following checks for the sorted records: - * - * 1. w1, w2, w3 correctly map to 'index', 'v1, 'v2' for a given record value at w4 - * 2. index values for adjacent records are monotonically increasing - * 3. if, at gate i, index_i == index_{i + 1}, then value1_i == value1_{i + 1} and value2_i == value2_{i + 1} - * - */ - ap.index_delta = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_L); - ap.record_delta = wire(p, WIRE.W_4_SHIFT) - wire(p, WIRE.W_4); - - ap.index_is_monotonically_increasing = ap.index_delta * (ap.index_delta - Fr.wrap(1)); // deg 2 - - ap.adjacent_values_match_if_adjacent_indices_match = (ap.index_delta * MINUS_ONE + ONE) * ap.record_delta; // deg 2 - - evals[14] = - ap.adjacent_values_match_if_adjacent_indices_match * - (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R)) * - (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 5 - evals[15] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R)) * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 5 +// Field arithmetic libraries - ap.ROM_consistency_check_identity = ap.memory_record_check * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R)); // deg 3 or 7 +library RelationsLib { + Fr internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = Fr.wrap(17); // -(-17) + + function accumulateRelationEvaluations( + Fr[NUMBER_OF_ENTITIES] memory purportedEvaluations, + Honk.RelationParameters memory rp, + Fr[NUMBER_OF_ALPHAS] memory alphas, + Fr powPartialEval + ) internal pure returns (Fr accumulator) { + Fr[NUMBER_OF_SUBRELATIONS] memory evaluations; + + // Accumulate all relations in Ultra Honk - each with varying number of subrelations + accumulateArithmeticRelation(purportedEvaluations, evaluations, powPartialEval); + accumulatePermutationRelation(purportedEvaluations, rp, evaluations, powPartialEval); + accumulateLogDerivativeLookupRelation(purportedEvaluations, rp, evaluations, powPartialEval); + accumulateDeltaRangeRelation(purportedEvaluations, evaluations, powPartialEval); + accumulateEllipticRelation(purportedEvaluations, evaluations, powPartialEval); + accumulateMemoryRelation(purportedEvaluations, rp, evaluations, powPartialEval); + accumulateNnfRelation(purportedEvaluations, evaluations, powPartialEval); + accumulatePoseidonExternalRelation(purportedEvaluations, evaluations, powPartialEval); + accumulatePoseidonInternalRelation(purportedEvaluations, evaluations, powPartialEval); + + // batch the subrelations with the alpha challenges to obtain the full honk relation + accumulator = scaleAndBatchSubrelations(evaluations, alphas); + } /** - * Contributions 15,16,17 - * RAM Consistency Check - * - * The 'access' type of the record is extracted with the expression `w_4 - ap.partial_record_check` - * (i.e. for an honest Prover `w1 * eta + w2 * eta^2 + w3 * eta^3 - w4 = access`. - * This is validated by requiring `access` to be boolean - * - * For two adjacent entries in the sorted list if _both_ - * A) index values match - * B) adjacent access value is 0 (i.e. next gate is a READ) - * then - * C) both values must match. - * The gate boolean check is - * (A && B) => C === !(A && B) || C === !A || !B || C - * - * N.B. it is the responsibility of the circuit writer to ensure that every RAM cell is initialized - * with a WRITE operation. + * Aesthetic helper function that is used to index by enum into proof.sumcheckEvaluations, it avoids + * the relation checking code being cluttered with uint256 type casting, which is often a different colour in code + * editors, and thus is noisy. */ - Fr access_type = (wire(p, WIRE.W_4) - ap.partial_record_check); // will be 0 or 1 for honest Prover; deg 1 or 4 - ap.access_check = access_type * (access_type - Fr.wrap(1)); // check value is 0 or 1; deg 2 or 8 - - // reverse order we could re-use `ap.partial_record_check` 1 - ((w3' * eta + w2') * eta + w1') * eta - // deg 1 or 4 - ap.next_gate_access_type = wire(p, WIRE.W_O_SHIFT) * rp.etaThree; - ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_R_SHIFT) * rp.etaTwo); - ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_L_SHIFT) * rp.eta); - ap.next_gate_access_type = wire(p, WIRE.W_4_SHIFT) - ap.next_gate_access_type; - - Fr value_delta = wire(p, WIRE.W_O_SHIFT) - wire(p, WIRE.W_O); - ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation = - (ap.index_delta * MINUS_ONE + ONE) * - value_delta * - (ap.next_gate_access_type * MINUS_ONE + ONE); // deg 3 or 6 - - // We can't apply the RAM consistency check identity on the final entry in the sorted list (the wires in the - // next gate would make the identity fail). We need to validate that its 'access type' bool is correct. Can't - // do with an arithmetic gate because of the `eta` factors. We need to check that the *next* gate's access - // type is correct, to cover this edge case - // deg 2 or 4 - ap.next_gate_access_type_is_boolean = ap.next_gate_access_type * ap.next_gate_access_type - ap.next_gate_access_type; - - // Putting it all together... - evals[16] = - ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation * - (wire(p, WIRE.Q_O)) * - (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 5 or 8 - evals[17] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_O)) * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 4 - evals[18] = ap.next_gate_access_type_is_boolean * (wire(p, WIRE.Q_O)) * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 4 or 6 - - ap.RAM_consistency_check_identity = ap.access_check * (wire(p, WIRE.Q_O)); // deg 3 or 9 + function wire(Fr[NUMBER_OF_ENTITIES] memory p, WIRE _wire) internal pure returns (Fr) { + return p[uint256(_wire)]; + } + uint256 internal constant NEG_HALF_MODULO_P = 0x183227397098d014dc2822db40c0ac2e9419f4243cdcb848a1f0fac9f8000000; /** - * RAM Timestamp Consistency Check - * - * | w1 | w2 | w3 | w4 | - * | index | timestamp | timestamp_check | -- | - * - * Let delta_index = index_{i + 1} - index_{i} + * Ultra Arithmetic Relation * - * Iff delta_index == 0, timestamp_check = timestamp_{i + 1} - timestamp_i - * Else timestamp_check = 0 */ - ap.timestamp_delta = wire(p, WIRE.W_R_SHIFT) - wire(p, WIRE.W_R); - ap.RAM_timestamp_check_identity = (ap.index_delta * MINUS_ONE + ONE) * ap.timestamp_delta - wire(p, WIRE.W_O); // deg 3 - /** - * Complete Contribution 12 - * The complete RAM/ROM memory identity - * Partial degree: - */ - ap.memory_identity = ap.ROM_consistency_check_identity; // deg 3 or 6 - ap.memory_identity = ap.memory_identity + ap.RAM_timestamp_check_identity * (wire(p, WIRE.Q_4) * wire(p, WIRE.Q_L)); // deg 4 - ap.memory_identity = ap.memory_identity + ap.memory_record_check * (wire(p, WIRE.Q_M) * wire(p, WIRE.Q_L)); // deg 3 or 6 - ap.memory_identity = ap.memory_identity + ap.RAM_consistency_check_identity; // deg 3 or 9 - - // (deg 3 or 9) + (deg 4) + (deg 3) - ap.memory_identity = ap.memory_identity * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 4 or 10 - evals[13] = ap.memory_identity; - } - - // Constants for the Non-native Field relation - Fr constant LIMB_SIZE = Fr.wrap(uint256(1) << 68); - Fr constant SUBLIMB_SHIFT = Fr.wrap(uint256(1) << 14); - - // Parameters used within the Non-Native Field Relation - // A struct is used to work around stack too deep. This relation has alot of variables - struct NnfParams { - Fr limb_subproduct; - Fr non_native_field_gate_1; - Fr non_native_field_gate_2; - Fr non_native_field_gate_3; - Fr limb_accumulator_1; - Fr limb_accumulator_2; - Fr nnf_identity; - } - - function accumulateNnfRelation(Fr[NUMBER_OF_ENTITIES] memory p, Fr[NUMBER_OF_SUBRELATIONS] memory evals, Fr domainSep) internal pure { - NnfParams memory ap; - - /** - * Contribution 12 - * Non native field arithmetic gate 2 - * deg 4 - * - * _ _ - * / _ _ _ 14 \ - * q_2 . q_4 | (w_1 . w_2) + (w_1 . w_2) + (w_1 . w_4 + w_2 . w_3 - w_3) . 2 - w_3 - w_4 | - * \_ _/ - * - * - */ - ap.limb_subproduct = wire(p, WIRE.W_L) * wire(p, WIRE.W_R_SHIFT) + wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R); - ap.non_native_field_gate_2 = (wire(p, WIRE.W_L) * wire(p, WIRE.W_4) + wire(p, WIRE.W_R) * wire(p, WIRE.W_O) - wire(p, WIRE.W_O_SHIFT)); - ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * LIMB_SIZE; - ap.non_native_field_gate_2 = ap.non_native_field_gate_2 - wire(p, WIRE.W_4_SHIFT); - ap.non_native_field_gate_2 = ap.non_native_field_gate_2 + ap.limb_subproduct; - ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * wire(p, WIRE.Q_4); - - ap.limb_subproduct = ap.limb_subproduct * LIMB_SIZE; - ap.limb_subproduct = ap.limb_subproduct + (wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R_SHIFT)); - ap.non_native_field_gate_1 = ap.limb_subproduct; - ap.non_native_field_gate_1 = ap.non_native_field_gate_1 - (wire(p, WIRE.W_O) + wire(p, WIRE.W_4)); - ap.non_native_field_gate_1 = ap.non_native_field_gate_1 * wire(p, WIRE.Q_O); - - ap.non_native_field_gate_3 = ap.limb_subproduct; - ap.non_native_field_gate_3 = ap.non_native_field_gate_3 + wire(p, WIRE.W_4); - ap.non_native_field_gate_3 = ap.non_native_field_gate_3 - (wire(p, WIRE.W_O_SHIFT) + wire(p, WIRE.W_4_SHIFT)); - ap.non_native_field_gate_3 = ap.non_native_field_gate_3 * wire(p, WIRE.Q_M); - - Fr non_native_field_identity = ap.non_native_field_gate_1 + ap.non_native_field_gate_2 + ap.non_native_field_gate_3; - non_native_field_identity = non_native_field_identity * wire(p, WIRE.Q_R); - - // ((((w2' * 2^14 + w1') * 2^14 + w3) * 2^14 + w2) * 2^14 + w1 - w4) * qm - // deg 2 - ap.limb_accumulator_1 = wire(p, WIRE.W_R_SHIFT) * SUBLIMB_SHIFT; - ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L_SHIFT); - ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT; - ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_O); - ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT; - ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_R); - ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT; - ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L); - ap.limb_accumulator_1 = ap.limb_accumulator_1 - wire(p, WIRE.W_4); - ap.limb_accumulator_1 = ap.limb_accumulator_1 * wire(p, WIRE.Q_4); - - // ((((w3' * 2^14 + w2') * 2^14 + w1') * 2^14 + w4) * 2^14 + w3 - w4') * qm - // deg 2 - ap.limb_accumulator_2 = wire(p, WIRE.W_O_SHIFT) * SUBLIMB_SHIFT; - ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_R_SHIFT); - ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT; - ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_L_SHIFT); - ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT; - ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_4); - ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT; - ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_O); - ap.limb_accumulator_2 = ap.limb_accumulator_2 - wire(p, WIRE.W_4_SHIFT); - ap.limb_accumulator_2 = ap.limb_accumulator_2 * wire(p, WIRE.Q_M); - - Fr limb_accumulator_identity = ap.limb_accumulator_1 + ap.limb_accumulator_2; - limb_accumulator_identity = limb_accumulator_identity * wire(p, WIRE.Q_O); // deg 3 - - ap.nnf_identity = non_native_field_identity + limb_accumulator_identity; - ap.nnf_identity = ap.nnf_identity * (wire(p, WIRE.Q_NNF) * domainSep); - evals[19] = ap.nnf_identity; - } - - struct PoseidonExternalParams { - Fr s1; - Fr s2; - Fr s3; - Fr s4; - Fr u1; - Fr u2; - Fr u3; - Fr u4; - Fr t0; - Fr t1; - Fr t2; - Fr t3; - Fr v1; - Fr v2; - Fr v3; - Fr v4; - Fr q_pos_by_scaling; - } - - function accumulatePoseidonExternalRelation( - Fr[NUMBER_OF_ENTITIES] memory p, - Fr[NUMBER_OF_SUBRELATIONS] memory evals, - Fr domainSep - ) internal pure { - PoseidonExternalParams memory ep; - - ep.s1 = wire(p, WIRE.W_L) + wire(p, WIRE.Q_L); - ep.s2 = wire(p, WIRE.W_R) + wire(p, WIRE.Q_R); - ep.s3 = wire(p, WIRE.W_O) + wire(p, WIRE.Q_O); - ep.s4 = wire(p, WIRE.W_4) + wire(p, WIRE.Q_4); - - ep.u1 = ep.s1 * ep.s1 * ep.s1 * ep.s1 * ep.s1; - ep.u2 = ep.s2 * ep.s2 * ep.s2 * ep.s2 * ep.s2; - ep.u3 = ep.s3 * ep.s3 * ep.s3 * ep.s3 * ep.s3; - ep.u4 = ep.s4 * ep.s4 * ep.s4 * ep.s4 * ep.s4; - // matrix mul v = M_E * u with 14 additions - ep.t0 = ep.u1 + ep.u2; // u_1 + u_2 - ep.t1 = ep.u3 + ep.u4; // u_3 + u_4 - ep.t2 = ep.u2 + ep.u2 + ep.t1; // 2u_2 - // ep.t2 += ep.t1; // 2u_2 + u_3 + u_4 - ep.t3 = ep.u4 + ep.u4 + ep.t0; // 2u_4 - // ep.t3 += ep.t0; // u_1 + u_2 + 2u_4 - ep.v4 = ep.t1 + ep.t1; - ep.v4 = ep.v4 + ep.v4 + ep.t3; - // ep.v4 += ep.t3; // u_1 + u_2 + 4u_3 + 6u_4 - ep.v2 = ep.t0 + ep.t0; - ep.v2 = ep.v2 + ep.v2 + ep.t2; - // ep.v2 += ep.t2; // 4u_1 + 6u_2 + u_3 + u_4 - ep.v1 = ep.t3 + ep.v2; // 5u_1 + 7u_2 + u_3 + 3u_4 - ep.v3 = ep.t2 + ep.v4; // u_1 + 3u_2 + 5u_3 + 7u_4 - - ep.q_pos_by_scaling = wire(p, WIRE.Q_POSEIDON2_EXTERNAL) * domainSep; - evals[20] = evals[20] + ep.q_pos_by_scaling * (ep.v1 - wire(p, WIRE.W_L_SHIFT)); - - evals[21] = evals[21] + ep.q_pos_by_scaling * (ep.v2 - wire(p, WIRE.W_R_SHIFT)); - - evals[22] = evals[22] + ep.q_pos_by_scaling * (ep.v3 - wire(p, WIRE.W_O_SHIFT)); - - evals[23] = evals[23] + ep.q_pos_by_scaling * (ep.v4 - wire(p, WIRE.W_4_SHIFT)); - } - - struct PoseidonInternalParams { - Fr u1; - Fr u2; - Fr u3; - Fr u4; - Fr u_sum; - Fr v1; - Fr v2; - Fr v3; - Fr v4; - Fr s1; - Fr q_pos_by_scaling; - } - - function accumulatePoseidonInternalRelation( - Fr[NUMBER_OF_ENTITIES] memory p, - Fr[NUMBER_OF_SUBRELATIONS] memory evals, - Fr domainSep - ) internal pure { - PoseidonInternalParams memory ip; - - Fr[4] memory INTERNAL_MATRIX_DIAGONAL = [ - FrLib.from(0x10dc6e9c006ea38b04b1e03b4bd9490c0d03f98929ca1d7fb56821fd19d3b6e7), - FrLib.from(0x0c28145b6a44df3e0149b3d0a30b3bb599df9756d4dd9b84a86b38cfb45a740b), - FrLib.from(0x00544b8338791518b2c7645a50392798b21f75bb60e3596170067d00141cac15), - FrLib.from(0x222c01175718386f2e2e82eb122789e352e105a3b8fa852613bc534433ee428b) - ]; - - // add round constants - ip.s1 = wire(p, WIRE.W_L) + wire(p, WIRE.Q_L); - - // apply s-box round - ip.u1 = ip.s1 * ip.s1 * ip.s1 * ip.s1 * ip.s1; - ip.u2 = wire(p, WIRE.W_R); - ip.u3 = wire(p, WIRE.W_O); - ip.u4 = wire(p, WIRE.W_4); - - // matrix mul with v = M_I * u 4 muls and 7 additions - ip.u_sum = ip.u1 + ip.u2 + ip.u3 + ip.u4; - - ip.q_pos_by_scaling = wire(p, WIRE.Q_POSEIDON2_INTERNAL) * domainSep; - - ip.v1 = ip.u1 * INTERNAL_MATRIX_DIAGONAL[0] + ip.u_sum; - evals[24] = evals[24] + ip.q_pos_by_scaling * (ip.v1 - wire(p, WIRE.W_L_SHIFT)); - - ip.v2 = ip.u2 * INTERNAL_MATRIX_DIAGONAL[1] + ip.u_sum; - evals[25] = evals[25] + ip.q_pos_by_scaling * (ip.v2 - wire(p, WIRE.W_R_SHIFT)); - - ip.v3 = ip.u3 * INTERNAL_MATRIX_DIAGONAL[2] + ip.u_sum; - evals[26] = evals[26] + ip.q_pos_by_scaling * (ip.v3 - wire(p, WIRE.W_O_SHIFT)); - - ip.v4 = ip.u4 * INTERNAL_MATRIX_DIAGONAL[3] + ip.u_sum; - evals[27] = evals[27] + ip.q_pos_by_scaling * (ip.v4 - wire(p, WIRE.W_4_SHIFT)); - } - - function scaleAndBatchSubrelations( - Fr[NUMBER_OF_SUBRELATIONS] memory evaluations, - Fr[NUMBER_OF_ALPHAS] memory subrelationChallenges - ) internal pure returns (Fr accumulator) { - accumulator = evaluations[0]; - - for (uint256 i = 1; i < NUMBER_OF_SUBRELATIONS; ++i) { - accumulator = accumulator + evaluations[i] * subrelationChallenges[i - 1]; - } - } + function accumulateArithmeticRelation( + Fr[NUMBER_OF_ENTITIES] memory p, + Fr[NUMBER_OF_SUBRELATIONS] memory evals, + Fr domainSep + ) internal pure { + // Relation 0 + Fr q_arith = wire(p, WIRE.Q_ARITH); + { + Fr neg_half = Fr.wrap(NEG_HALF_MODULO_P); + + Fr accum = (q_arith - Fr.wrap(3)) * (wire(p, WIRE.Q_M) * wire(p, WIRE.W_R) * wire(p, WIRE.W_L)) * neg_half; + accum = accum + (wire(p, WIRE.Q_L) * wire(p, WIRE.W_L)) + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_R)) + + (wire(p, WIRE.Q_O) * wire(p, WIRE.W_O)) + (wire(p, WIRE.Q_4) * wire(p, WIRE.W_4)) + wire(p, WIRE.Q_C); + accum = accum + (q_arith - ONE) * wire(p, WIRE.W_4_SHIFT); + accum = accum * q_arith; + accum = accum * domainSep; + evals[0] = accum; + } + + // Relation 1 + { + Fr accum = wire(p, WIRE.W_L) + wire(p, WIRE.W_4) - wire(p, WIRE.W_L_SHIFT) + wire(p, WIRE.Q_M); + accum = accum * (q_arith - Fr.wrap(2)); + accum = accum * (q_arith - ONE); + accum = accum * q_arith; + accum = accum * domainSep; + evals[1] = accum; + } + } + + function accumulatePermutationRelation( + Fr[NUMBER_OF_ENTITIES] memory p, + Honk.RelationParameters memory rp, + Fr[NUMBER_OF_SUBRELATIONS] memory evals, + Fr domainSep + ) internal pure { + Fr grand_product_numerator; + Fr grand_product_denominator; + + { + Fr num = wire(p, WIRE.W_L) + wire(p, WIRE.ID_1) * rp.beta + rp.gamma; + num = num * (wire(p, WIRE.W_R) + wire(p, WIRE.ID_2) * rp.beta + rp.gamma); + num = num * (wire(p, WIRE.W_O) + wire(p, WIRE.ID_3) * rp.beta + rp.gamma); + num = num * (wire(p, WIRE.W_4) + wire(p, WIRE.ID_4) * rp.beta + rp.gamma); + + grand_product_numerator = num; + } + { + Fr den = wire(p, WIRE.W_L) + wire(p, WIRE.SIGMA_1) * rp.beta + rp.gamma; + den = den * (wire(p, WIRE.W_R) + wire(p, WIRE.SIGMA_2) * rp.beta + rp.gamma); + den = den * (wire(p, WIRE.W_O) + wire(p, WIRE.SIGMA_3) * rp.beta + rp.gamma); + den = den * (wire(p, WIRE.W_4) + wire(p, WIRE.SIGMA_4) * rp.beta + rp.gamma); + + grand_product_denominator = den; + } + + // Contribution 2 + { + Fr acc = (wire(p, WIRE.Z_PERM) + wire(p, WIRE.LAGRANGE_FIRST)) * grand_product_numerator; + + acc = acc + - ( + (wire(p, WIRE.Z_PERM_SHIFT) + (wire(p, WIRE.LAGRANGE_LAST) * rp.publicInputsDelta)) + * grand_product_denominator + ); + acc = acc * domainSep; + evals[2] = acc; + } + + // Contribution 3 + { + Fr acc = (wire(p, WIRE.LAGRANGE_LAST) * wire(p, WIRE.Z_PERM_SHIFT)) * domainSep; + evals[3] = acc; + } + } + + function accumulateLogDerivativeLookupRelation( + Fr[NUMBER_OF_ENTITIES] memory p, + Honk.RelationParameters memory rp, + Fr[NUMBER_OF_SUBRELATIONS] memory evals, + Fr domainSep + ) internal pure { + Fr write_term; + Fr read_term; + + // Calculate the write term (the table accumulation) + { + write_term = wire(p, WIRE.TABLE_1) + rp.gamma + (wire(p, WIRE.TABLE_2) * rp.eta) + + (wire(p, WIRE.TABLE_3) * rp.etaTwo) + (wire(p, WIRE.TABLE_4) * rp.etaThree); + } + + // Calculate the write term + { + Fr derived_entry_1 = wire(p, WIRE.W_L) + rp.gamma + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_L_SHIFT)); + Fr derived_entry_2 = wire(p, WIRE.W_R) + wire(p, WIRE.Q_M) * wire(p, WIRE.W_R_SHIFT); + Fr derived_entry_3 = wire(p, WIRE.W_O) + wire(p, WIRE.Q_C) * wire(p, WIRE.W_O_SHIFT); + + read_term = derived_entry_1 + (derived_entry_2 * rp.eta) + (derived_entry_3 * rp.etaTwo) + + (wire(p, WIRE.Q_O) * rp.etaThree); + } + + Fr read_inverse = wire(p, WIRE.LOOKUP_INVERSES) * write_term; + Fr write_inverse = wire(p, WIRE.LOOKUP_INVERSES) * read_term; + + Fr inverse_exists_xor = wire(p, WIRE.LOOKUP_READ_TAGS) + wire(p, WIRE.Q_LOOKUP) + - (wire(p, WIRE.LOOKUP_READ_TAGS) * wire(p, WIRE.Q_LOOKUP)); + + // Inverse calculated correctly relation + Fr accumulatorNone = read_term * write_term * wire(p, WIRE.LOOKUP_INVERSES) - inverse_exists_xor; + accumulatorNone = accumulatorNone * domainSep; + + // Inverse + Fr accumulatorOne = wire(p, WIRE.Q_LOOKUP) * read_inverse - wire(p, WIRE.LOOKUP_READ_COUNTS) * write_inverse; + + Fr read_tag = wire(p, WIRE.LOOKUP_READ_TAGS); + + Fr read_tag_boolean_relation = read_tag * read_tag - read_tag; + + evals[4] = accumulatorNone; + evals[5] = accumulatorOne; + evals[6] = read_tag_boolean_relation * domainSep; + } + + function accumulateDeltaRangeRelation( + Fr[NUMBER_OF_ENTITIES] memory p, + Fr[NUMBER_OF_SUBRELATIONS] memory evals, + Fr domainSep + ) internal pure { + Fr minus_one = ZERO - ONE; + Fr minus_two = ZERO - Fr.wrap(2); + Fr minus_three = ZERO - Fr.wrap(3); + + // Compute wire differences + Fr delta_1 = wire(p, WIRE.W_R) - wire(p, WIRE.W_L); + Fr delta_2 = wire(p, WIRE.W_O) - wire(p, WIRE.W_R); + Fr delta_3 = wire(p, WIRE.W_4) - wire(p, WIRE.W_O); + Fr delta_4 = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_4); + + // Contribution 6 + { + Fr acc = delta_1; + acc = acc * (delta_1 + minus_one); + acc = acc * (delta_1 + minus_two); + acc = acc * (delta_1 + minus_three); + acc = acc * wire(p, WIRE.Q_RANGE); + acc = acc * domainSep; + evals[7] = acc; + } + + // Contribution 7 + { + Fr acc = delta_2; + acc = acc * (delta_2 + minus_one); + acc = acc * (delta_2 + minus_two); + acc = acc * (delta_2 + minus_three); + acc = acc * wire(p, WIRE.Q_RANGE); + acc = acc * domainSep; + evals[8] = acc; + } + + // Contribution 8 + { + Fr acc = delta_3; + acc = acc * (delta_3 + minus_one); + acc = acc * (delta_3 + minus_two); + acc = acc * (delta_3 + minus_three); + acc = acc * wire(p, WIRE.Q_RANGE); + acc = acc * domainSep; + evals[9] = acc; + } + + // Contribution 9 + { + Fr acc = delta_4; + acc = acc * (delta_4 + minus_one); + acc = acc * (delta_4 + minus_two); + acc = acc * (delta_4 + minus_three); + acc = acc * wire(p, WIRE.Q_RANGE); + acc = acc * domainSep; + evals[10] = acc; + } + } + + struct EllipticParams { + // Points + Fr x_1; + Fr y_1; + Fr x_2; + Fr y_2; + Fr y_3; + Fr x_3; + // push accumulators into memory + Fr x_double_identity; + } + + function accumulateEllipticRelation( + Fr[NUMBER_OF_ENTITIES] memory p, + Fr[NUMBER_OF_SUBRELATIONS] memory evals, + Fr domainSep + ) internal pure { + EllipticParams memory ep; + ep.x_1 = wire(p, WIRE.W_R); + ep.y_1 = wire(p, WIRE.W_O); + + ep.x_2 = wire(p, WIRE.W_L_SHIFT); + ep.y_2 = wire(p, WIRE.W_4_SHIFT); + ep.y_3 = wire(p, WIRE.W_O_SHIFT); + ep.x_3 = wire(p, WIRE.W_R_SHIFT); + + Fr q_sign = wire(p, WIRE.Q_L); + Fr q_is_double = wire(p, WIRE.Q_M); + + // Contribution 10 point addition, x-coordinate check + // q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0 + Fr x_diff = (ep.x_2 - ep.x_1); + Fr y1_sqr = (ep.y_1 * ep.y_1); + { + // Move to top + Fr partialEval = domainSep; + + Fr y2_sqr = (ep.y_2 * ep.y_2); + Fr y1y2 = ep.y_1 * ep.y_2 * q_sign; + Fr x_add_identity = (ep.x_3 + ep.x_2 + ep.x_1); + x_add_identity = x_add_identity * x_diff * x_diff; + x_add_identity = x_add_identity - y2_sqr - y1_sqr + y1y2 + y1y2; + + evals[11] = x_add_identity * partialEval * wire(p, WIRE.Q_ELLIPTIC) * (ONE - q_is_double); + } + + // Contribution 11 point addition, x-coordinate check + // q_elliptic * (q_sign * y1 + y3)(x2 - x1) + (x3 - x1)(y2 - q_sign * y1) = 0 + { + Fr y1_plus_y3 = ep.y_1 + ep.y_3; + Fr y_diff = ep.y_2 * q_sign - ep.y_1; + Fr y_add_identity = y1_plus_y3 * x_diff + (ep.x_3 - ep.x_1) * y_diff; + evals[12] = y_add_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * (ONE - q_is_double); + } + + // Contribution 10 point doubling, x-coordinate check + // (x3 + x1 + x1) (4y1*y1) - 9 * x1 * x1 * x1 * x1 = 0 + // N.B. we're using the equivalence x1*x1*x1 === y1*y1 - curve_b to reduce degree by 1 + { + Fr x_pow_4 = (y1_sqr + GRUMPKIN_CURVE_B_PARAMETER_NEGATED) * ep.x_1; + Fr y1_sqr_mul_4 = y1_sqr + y1_sqr; + y1_sqr_mul_4 = y1_sqr_mul_4 + y1_sqr_mul_4; + Fr x1_pow_4_mul_9 = x_pow_4 * Fr.wrap(9); + + // NOTE: pushed into memory (stack >:'( ) + ep.x_double_identity = (ep.x_3 + ep.x_1 + ep.x_1) * y1_sqr_mul_4 - x1_pow_4_mul_9; + + Fr acc = ep.x_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double; + evals[11] = evals[11] + acc; + } + + // Contribution 11 point doubling, y-coordinate check + // (y1 + y1) (2y1) - (3 * x1 * x1)(x1 - x3) = 0 + { + Fr x1_sqr_mul_3 = (ep.x_1 + ep.x_1 + ep.x_1) * ep.x_1; + Fr y_double_identity = x1_sqr_mul_3 * (ep.x_1 - ep.x_3) - (ep.y_1 + ep.y_1) * (ep.y_1 + ep.y_3); + evals[12] = evals[12] + y_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double; + } + } + + // Parameters used within the Memory Relation + // A struct is used to work around stack too deep. This relation has alot of variables + struct MemParams { + Fr memory_record_check; + Fr partial_record_check; + Fr next_gate_access_type; + Fr record_delta; + Fr index_delta; + Fr adjacent_values_match_if_adjacent_indices_match; + Fr adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation; + Fr access_check; + Fr next_gate_access_type_is_boolean; + Fr ROM_consistency_check_identity; + Fr RAM_consistency_check_identity; + Fr timestamp_delta; + Fr RAM_timestamp_check_identity; + Fr memory_identity; + Fr index_is_monotonically_increasing; + } + + function accumulateMemoryRelation( + Fr[NUMBER_OF_ENTITIES] memory p, + Honk.RelationParameters memory rp, + Fr[NUMBER_OF_SUBRELATIONS] memory evals, + Fr domainSep + ) internal pure { + MemParams memory ap; + + /** + * MEMORY + * + * A RAM memory record contains a tuple of the following fields: + * * i: `index` of memory cell being accessed + * * t: `timestamp` of memory cell being accessed (used for RAM, set to 0 for ROM) + * * v: `value` of memory cell being accessed + * * a: `access` type of record. read: 0 = read, 1 = write + * * r: `record` of memory cell. record = access + index * eta + timestamp * eta_two + value * eta_three + * + * A ROM memory record contains a tuple of the following fields: + * * i: `index` of memory cell being accessed + * * v: `value1` of memory cell being accessed (ROM tables can store up to 2 values per index) + * * v2:`value2` of memory cell being accessed (ROM tables can store up to 2 values per index) + * * r: `record` of memory cell. record = index * eta + value2 * eta_two + value1 * eta_three + * + * When performing a read/write access, the values of i, t, v, v2, a, r are stored in the following wires + + * selectors, depending on whether the gate is a RAM read/write or a ROM read + * + * | gate type | i | v2/t | v | a | r | + * | --------- | -- | ----- | -- | -- | -- | + * | ROM | w1 | w2 | w3 | -- | w4 | + * | RAM | w1 | w2 | w3 | qc | w4 | + * + * (for accesses where `index` is a circuit constant, it is assumed the circuit will apply a copy constraint on + * `w2` to fix its value) + * + * + */ + + /** + * Memory Record Check + * Partial degree: 1 + * Total degree: 4 + * + * A ROM/ROM access gate can be evaluated with the identity: + * + * qc + w1 \eta + w2 \eta_two + w3 \eta_three - w4 = 0 + * + * For ROM gates, qc = 0 + */ + ap.memory_record_check = wire(p, WIRE.W_O) * rp.etaThree; + ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_R) * rp.etaTwo); + ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_L) * rp.eta); + ap.memory_record_check = ap.memory_record_check + wire(p, WIRE.Q_C); + ap.partial_record_check = ap.memory_record_check; // used in RAM consistency check; deg 1 or 4 + ap.memory_record_check = ap.memory_record_check - wire(p, WIRE.W_4); + + /** + * Contribution 13 & 14 + * ROM Consistency Check + * Partial degree: 1 + * Total degree: 4 + * + * For every ROM read, a set equivalence check is applied between the record witnesses, and a second set of + * records that are sorted. + * + * We apply the following checks for the sorted records: + * + * 1. w1, w2, w3 correctly map to 'index', 'v1, 'v2' for a given record value at w4 + * 2. index values for adjacent records are monotonically increasing + * 3. if, at gate i, index_i == index_{i + 1}, then value1_i == value1_{i + 1} and value2_i == value2_{i + 1} + * + */ + ap.index_delta = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_L); + ap.record_delta = wire(p, WIRE.W_4_SHIFT) - wire(p, WIRE.W_4); + + ap.index_is_monotonically_increasing = ap.index_delta * (ap.index_delta - Fr.wrap(1)); // deg 2 + + ap.adjacent_values_match_if_adjacent_indices_match = (ap.index_delta * MINUS_ONE + ONE) * ap.record_delta; // deg 2 + + evals[14] = ap.adjacent_values_match_if_adjacent_indices_match * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R)) + * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 5 + evals[15] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R)) + * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 5 + + ap.ROM_consistency_check_identity = ap.memory_record_check * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R)); // deg 3 or 7 + + /** + * Contributions 15,16,17 + * RAM Consistency Check + * + * The 'access' type of the record is extracted with the expression `w_4 - ap.partial_record_check` + * (i.e. for an honest Prover `w1 * eta + w2 * eta^2 + w3 * eta^3 - w4 = access`. + * This is validated by requiring `access` to be boolean + * + * For two adjacent entries in the sorted list if _both_ + * A) index values match + * B) adjacent access value is 0 (i.e. next gate is a READ) + * then + * C) both values must match. + * The gate boolean check is + * (A && B) => C === !(A && B) || C === !A || !B || C + * + * N.B. it is the responsibility of the circuit writer to ensure that every RAM cell is initialized + * with a WRITE operation. + */ + Fr access_type = (wire(p, WIRE.W_4) - ap.partial_record_check); // will be 0 or 1 for honest Prover; deg 1 or 4 + ap.access_check = access_type * (access_type - Fr.wrap(1)); // check value is 0 or 1; deg 2 or 8 + + // reverse order we could re-use `ap.partial_record_check` 1 - ((w3' * eta + w2') * eta + w1') * eta + // deg 1 or 4 + ap.next_gate_access_type = wire(p, WIRE.W_O_SHIFT) * rp.etaThree; + ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_R_SHIFT) * rp.etaTwo); + ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_L_SHIFT) * rp.eta); + ap.next_gate_access_type = wire(p, WIRE.W_4_SHIFT) - ap.next_gate_access_type; + + Fr value_delta = wire(p, WIRE.W_O_SHIFT) - wire(p, WIRE.W_O); + ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation = + (ap.index_delta * MINUS_ONE + ONE) * value_delta * (ap.next_gate_access_type * MINUS_ONE + ONE); // deg 3 or 6 + + // We can't apply the RAM consistency check identity on the final entry in the sorted list (the wires in the + // next gate would make the identity fail). We need to validate that its 'access type' bool is correct. Can't + // do with an arithmetic gate because of the `eta` factors. We need to check that the *next* gate's access + // type is correct, to cover this edge case + // deg 2 or 4 + ap.next_gate_access_type_is_boolean = + ap.next_gate_access_type * ap.next_gate_access_type - ap.next_gate_access_type; + + // Putting it all together... + evals[16] = ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation + * (wire(p, WIRE.Q_O)) * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 5 or 8 + evals[17] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_O)) * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 4 + evals[18] = ap.next_gate_access_type_is_boolean * (wire(p, WIRE.Q_O)) * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 4 or 6 + + ap.RAM_consistency_check_identity = ap.access_check * (wire(p, WIRE.Q_O)); // deg 3 or 9 + + /** + * RAM Timestamp Consistency Check + * + * | w1 | w2 | w3 | w4 | + * | index | timestamp | timestamp_check | -- | + * + * Let delta_index = index_{i + 1} - index_{i} + * + * Iff delta_index == 0, timestamp_check = timestamp_{i + 1} - timestamp_i + * Else timestamp_check = 0 + */ + ap.timestamp_delta = wire(p, WIRE.W_R_SHIFT) - wire(p, WIRE.W_R); + ap.RAM_timestamp_check_identity = (ap.index_delta * MINUS_ONE + ONE) * ap.timestamp_delta - wire(p, WIRE.W_O); // deg 3 + + /** + * Complete Contribution 12 + * The complete RAM/ROM memory identity + * Partial degree: + */ + ap.memory_identity = ap.ROM_consistency_check_identity; // deg 3 or 6 + ap.memory_identity = + ap.memory_identity + ap.RAM_timestamp_check_identity * (wire(p, WIRE.Q_4) * wire(p, WIRE.Q_L)); // deg 4 + ap.memory_identity = ap.memory_identity + ap.memory_record_check * (wire(p, WIRE.Q_M) * wire(p, WIRE.Q_L)); // deg 3 or 6 + ap.memory_identity = ap.memory_identity + ap.RAM_consistency_check_identity; // deg 3 or 9 + + // (deg 3 or 9) + (deg 4) + (deg 3) + ap.memory_identity = ap.memory_identity * (wire(p, WIRE.Q_MEMORY) * domainSep); // deg 4 or 10 + evals[13] = ap.memory_identity; + } + + // Constants for the Non-native Field relation + Fr constant LIMB_SIZE = Fr.wrap(uint256(1) << 68); + Fr constant SUBLIMB_SHIFT = Fr.wrap(uint256(1) << 14); + + // Parameters used within the Non-Native Field Relation + // A struct is used to work around stack too deep. This relation has alot of variables + struct NnfParams { + Fr limb_subproduct; + Fr non_native_field_gate_1; + Fr non_native_field_gate_2; + Fr non_native_field_gate_3; + Fr limb_accumulator_1; + Fr limb_accumulator_2; + Fr nnf_identity; + } + + function accumulateNnfRelation( + Fr[NUMBER_OF_ENTITIES] memory p, + Fr[NUMBER_OF_SUBRELATIONS] memory evals, + Fr domainSep + ) internal pure { + NnfParams memory ap; + + /** + * Contribution 12 + * Non native field arithmetic gate 2 + * deg 4 + * + * _ _ + * / _ _ _ 14 \ + * q_2 . q_4 | (w_1 . w_2) + (w_1 . w_2) + (w_1 . w_4 + w_2 . w_3 - w_3) . 2 - w_3 - w_4 | + * \_ _/ + * + * + */ + ap.limb_subproduct = wire(p, WIRE.W_L) * wire(p, WIRE.W_R_SHIFT) + wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R); + ap.non_native_field_gate_2 = + (wire(p, WIRE.W_L) * wire(p, WIRE.W_4) + wire(p, WIRE.W_R) * wire(p, WIRE.W_O) - wire(p, WIRE.W_O_SHIFT)); + ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * LIMB_SIZE; + ap.non_native_field_gate_2 = ap.non_native_field_gate_2 - wire(p, WIRE.W_4_SHIFT); + ap.non_native_field_gate_2 = ap.non_native_field_gate_2 + ap.limb_subproduct; + ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * wire(p, WIRE.Q_4); + + ap.limb_subproduct = ap.limb_subproduct * LIMB_SIZE; + ap.limb_subproduct = ap.limb_subproduct + (wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R_SHIFT)); + ap.non_native_field_gate_1 = ap.limb_subproduct; + ap.non_native_field_gate_1 = ap.non_native_field_gate_1 - (wire(p, WIRE.W_O) + wire(p, WIRE.W_4)); + ap.non_native_field_gate_1 = ap.non_native_field_gate_1 * wire(p, WIRE.Q_O); + + ap.non_native_field_gate_3 = ap.limb_subproduct; + ap.non_native_field_gate_3 = ap.non_native_field_gate_3 + wire(p, WIRE.W_4); + ap.non_native_field_gate_3 = ap.non_native_field_gate_3 - (wire(p, WIRE.W_O_SHIFT) + wire(p, WIRE.W_4_SHIFT)); + ap.non_native_field_gate_3 = ap.non_native_field_gate_3 * wire(p, WIRE.Q_M); + + Fr non_native_field_identity = + ap.non_native_field_gate_1 + ap.non_native_field_gate_2 + ap.non_native_field_gate_3; + non_native_field_identity = non_native_field_identity * wire(p, WIRE.Q_R); + + // ((((w2' * 2^14 + w1') * 2^14 + w3) * 2^14 + w2) * 2^14 + w1 - w4) * qm + // deg 2 + ap.limb_accumulator_1 = wire(p, WIRE.W_R_SHIFT) * SUBLIMB_SHIFT; + ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L_SHIFT); + ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT; + ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_O); + ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT; + ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_R); + ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT; + ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L); + ap.limb_accumulator_1 = ap.limb_accumulator_1 - wire(p, WIRE.W_4); + ap.limb_accumulator_1 = ap.limb_accumulator_1 * wire(p, WIRE.Q_4); + + // ((((w3' * 2^14 + w2') * 2^14 + w1') * 2^14 + w4) * 2^14 + w3 - w4') * qm + // deg 2 + ap.limb_accumulator_2 = wire(p, WIRE.W_O_SHIFT) * SUBLIMB_SHIFT; + ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_R_SHIFT); + ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT; + ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_L_SHIFT); + ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT; + ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_4); + ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT; + ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_O); + ap.limb_accumulator_2 = ap.limb_accumulator_2 - wire(p, WIRE.W_4_SHIFT); + ap.limb_accumulator_2 = ap.limb_accumulator_2 * wire(p, WIRE.Q_M); + + Fr limb_accumulator_identity = ap.limb_accumulator_1 + ap.limb_accumulator_2; + limb_accumulator_identity = limb_accumulator_identity * wire(p, WIRE.Q_O); // deg 3 + + ap.nnf_identity = non_native_field_identity + limb_accumulator_identity; + ap.nnf_identity = ap.nnf_identity * (wire(p, WIRE.Q_NNF) * domainSep); + evals[19] = ap.nnf_identity; + } + + struct PoseidonExternalParams { + Fr s1; + Fr s2; + Fr s3; + Fr s4; + Fr u1; + Fr u2; + Fr u3; + Fr u4; + Fr t0; + Fr t1; + Fr t2; + Fr t3; + Fr v1; + Fr v2; + Fr v3; + Fr v4; + Fr q_pos_by_scaling; + } + + function accumulatePoseidonExternalRelation( + Fr[NUMBER_OF_ENTITIES] memory p, + Fr[NUMBER_OF_SUBRELATIONS] memory evals, + Fr domainSep + ) internal pure { + PoseidonExternalParams memory ep; + + ep.s1 = wire(p, WIRE.W_L) + wire(p, WIRE.Q_L); + ep.s2 = wire(p, WIRE.W_R) + wire(p, WIRE.Q_R); + ep.s3 = wire(p, WIRE.W_O) + wire(p, WIRE.Q_O); + ep.s4 = wire(p, WIRE.W_4) + wire(p, WIRE.Q_4); + + ep.u1 = ep.s1 * ep.s1 * ep.s1 * ep.s1 * ep.s1; + ep.u2 = ep.s2 * ep.s2 * ep.s2 * ep.s2 * ep.s2; + ep.u3 = ep.s3 * ep.s3 * ep.s3 * ep.s3 * ep.s3; + ep.u4 = ep.s4 * ep.s4 * ep.s4 * ep.s4 * ep.s4; + // matrix mul v = M_E * u with 14 additions + ep.t0 = ep.u1 + ep.u2; // u_1 + u_2 + ep.t1 = ep.u3 + ep.u4; // u_3 + u_4 + ep.t2 = ep.u2 + ep.u2 + ep.t1; // 2u_2 + // ep.t2 += ep.t1; // 2u_2 + u_3 + u_4 + ep.t3 = ep.u4 + ep.u4 + ep.t0; // 2u_4 + // ep.t3 += ep.t0; // u_1 + u_2 + 2u_4 + ep.v4 = ep.t1 + ep.t1; + ep.v4 = ep.v4 + ep.v4 + ep.t3; + // ep.v4 += ep.t3; // u_1 + u_2 + 4u_3 + 6u_4 + ep.v2 = ep.t0 + ep.t0; + ep.v2 = ep.v2 + ep.v2 + ep.t2; + // ep.v2 += ep.t2; // 4u_1 + 6u_2 + u_3 + u_4 + ep.v1 = ep.t3 + ep.v2; // 5u_1 + 7u_2 + u_3 + 3u_4 + ep.v3 = ep.t2 + ep.v4; // u_1 + 3u_2 + 5u_3 + 7u_4 + + ep.q_pos_by_scaling = wire(p, WIRE.Q_POSEIDON2_EXTERNAL) * domainSep; + evals[20] = evals[20] + ep.q_pos_by_scaling * (ep.v1 - wire(p, WIRE.W_L_SHIFT)); + + evals[21] = evals[21] + ep.q_pos_by_scaling * (ep.v2 - wire(p, WIRE.W_R_SHIFT)); + + evals[22] = evals[22] + ep.q_pos_by_scaling * (ep.v3 - wire(p, WIRE.W_O_SHIFT)); + + evals[23] = evals[23] + ep.q_pos_by_scaling * (ep.v4 - wire(p, WIRE.W_4_SHIFT)); + } + + struct PoseidonInternalParams { + Fr u1; + Fr u2; + Fr u3; + Fr u4; + Fr u_sum; + Fr v1; + Fr v2; + Fr v3; + Fr v4; + Fr s1; + Fr q_pos_by_scaling; + } + + function accumulatePoseidonInternalRelation( + Fr[NUMBER_OF_ENTITIES] memory p, + Fr[NUMBER_OF_SUBRELATIONS] memory evals, + Fr domainSep + ) internal pure { + PoseidonInternalParams memory ip; + + Fr[4] memory INTERNAL_MATRIX_DIAGONAL = [ + FrLib.from(0x10dc6e9c006ea38b04b1e03b4bd9490c0d03f98929ca1d7fb56821fd19d3b6e7), + FrLib.from(0x0c28145b6a44df3e0149b3d0a30b3bb599df9756d4dd9b84a86b38cfb45a740b), + FrLib.from(0x00544b8338791518b2c7645a50392798b21f75bb60e3596170067d00141cac15), + FrLib.from(0x222c01175718386f2e2e82eb122789e352e105a3b8fa852613bc534433ee428b) + ]; + + // add round constants + ip.s1 = wire(p, WIRE.W_L) + wire(p, WIRE.Q_L); + + // apply s-box round + ip.u1 = ip.s1 * ip.s1 * ip.s1 * ip.s1 * ip.s1; + ip.u2 = wire(p, WIRE.W_R); + ip.u3 = wire(p, WIRE.W_O); + ip.u4 = wire(p, WIRE.W_4); + + // matrix mul with v = M_I * u 4 muls and 7 additions + ip.u_sum = ip.u1 + ip.u2 + ip.u3 + ip.u4; + + ip.q_pos_by_scaling = wire(p, WIRE.Q_POSEIDON2_INTERNAL) * domainSep; + + ip.v1 = ip.u1 * INTERNAL_MATRIX_DIAGONAL[0] + ip.u_sum; + evals[24] = evals[24] + ip.q_pos_by_scaling * (ip.v1 - wire(p, WIRE.W_L_SHIFT)); + + ip.v2 = ip.u2 * INTERNAL_MATRIX_DIAGONAL[1] + ip.u_sum; + evals[25] = evals[25] + ip.q_pos_by_scaling * (ip.v2 - wire(p, WIRE.W_R_SHIFT)); + + ip.v3 = ip.u3 * INTERNAL_MATRIX_DIAGONAL[2] + ip.u_sum; + evals[26] = evals[26] + ip.q_pos_by_scaling * (ip.v3 - wire(p, WIRE.W_O_SHIFT)); + + ip.v4 = ip.u4 * INTERNAL_MATRIX_DIAGONAL[3] + ip.u_sum; + evals[27] = evals[27] + ip.q_pos_by_scaling * (ip.v4 - wire(p, WIRE.W_4_SHIFT)); + } + + function scaleAndBatchSubrelations( + Fr[NUMBER_OF_SUBRELATIONS] memory evaluations, + Fr[NUMBER_OF_ALPHAS] memory subrelationChallenges + ) internal pure returns (Fr accumulator) { + accumulator = evaluations[0]; + + for (uint256 i = 1; i < NUMBER_OF_SUBRELATIONS; ++i) { + accumulator = accumulator + evaluations[i] * subrelationChallenges[i - 1]; + } + } } // Field arithmetic libraries - prevent littering the code with modmul / addmul library CommitmentSchemeLib { - using FrLib for Fr; - - // Avoid stack too deep - struct ShpleminiIntermediates { - Fr unshiftedScalar; - Fr shiftedScalar; - Fr unshiftedScalarNeg; - Fr shiftedScalarNeg; - // Scalar to be multiplied by [1]₁ - Fr constantTermAccumulator; - // Accumulator for powers of rho - Fr batchingChallenge; - // Linear combination of multilinear (sumcheck) evaluations and powers of rho - Fr batchedEvaluation; - Fr[4] denominators; - Fr[4] batchingScalars; - // 1/(z - r^{2^i}) for i = 0, ..., logSize, dynamically updated - Fr posInvertedDenominator; - // 1/(z + r^{2^i}) for i = 0, ..., logSize, dynamically updated - Fr negInvertedDenominator; - // ν^{2i} * 1/(z - r^{2^i}) - Fr scalingFactorPos; - // ν^{2i+1} * 1/(z + r^{2^i}) - Fr scalingFactorNeg; - // Fold_i(r^{2^i}) reconstructed by Verifier - Fr[] foldPosEvaluations; - } - - function computeSquares(Fr r, uint256 logN) internal pure returns (Fr[] memory) { - Fr[] memory squares = new Fr[](logN); - squares[0] = r; - for (uint256 i = 1; i < logN; ++i) { - squares[i] = squares[i - 1].sqr(); - } - return squares; - } - // Compute the evaluations Aₗ(r^{2ˡ}) for l = 0, ..., m-1 - - function computeFoldPosEvaluations( - Fr[CONST_PROOF_SIZE_LOG_N] memory sumcheckUChallenges, - Fr batchedEvalAccumulator, - Fr[CONST_PROOF_SIZE_LOG_N] memory geminiEvaluations, - Fr[] memory geminiEvalChallengePowers, - uint256 logSize - ) internal view returns (Fr[] memory) { - Fr[] memory foldPosEvaluations = new Fr[](logSize); - for (uint256 i = logSize; i > 0; --i) { - Fr challengePower = geminiEvalChallengePowers[i - 1]; - Fr u = sumcheckUChallenges[i - 1]; - - Fr batchedEvalRoundAcc = ((challengePower * batchedEvalAccumulator * Fr.wrap(2)) - - geminiEvaluations[i - 1] * - (challengePower * (ONE - u) - u)); - // Divide by the denominator - batchedEvalRoundAcc = batchedEvalRoundAcc * (challengePower * (ONE - u) + u).invert(); - - batchedEvalAccumulator = batchedEvalRoundAcc; - foldPosEvaluations[i - 1] = batchedEvalRoundAcc; - } - return foldPosEvaluations; - } + using FrLib for Fr; + + // Avoid stack too deep + struct ShpleminiIntermediates { + Fr unshiftedScalar; + Fr shiftedScalar; + Fr unshiftedScalarNeg; + Fr shiftedScalarNeg; + // Scalar to be multiplied by [1]₁ + Fr constantTermAccumulator; + // Accumulator for powers of rho + Fr batchingChallenge; + // Linear combination of multilinear (sumcheck) evaluations and powers of rho + Fr batchedEvaluation; + Fr[4] denominators; + Fr[4] batchingScalars; + // 1/(z - r^{2^i}) for i = 0, ..., logSize, dynamically updated + Fr posInvertedDenominator; + // 1/(z + r^{2^i}) for i = 0, ..., logSize, dynamically updated + Fr negInvertedDenominator; + // ν^{2i} * 1/(z - r^{2^i}) + Fr scalingFactorPos; + // ν^{2i+1} * 1/(z + r^{2^i}) + Fr scalingFactorNeg; + // Fold_i(r^{2^i}) reconstructed by Verifier + Fr[] foldPosEvaluations; + } + + function computeSquares(Fr r, uint256 logN) internal pure returns (Fr[] memory) { + Fr[] memory squares = new Fr[](logN); + squares[0] = r; + for (uint256 i = 1; i < logN; ++i) { + squares[i] = squares[i - 1].sqr(); + } + return squares; + } + // Compute the evaluations Aₗ(r^{2ˡ}) for l = 0, ..., m-1 + + function computeFoldPosEvaluations( + Fr[CONST_PROOF_SIZE_LOG_N] memory sumcheckUChallenges, + Fr batchedEvalAccumulator, + Fr[CONST_PROOF_SIZE_LOG_N] memory geminiEvaluations, + Fr[] memory geminiEvalChallengePowers, + uint256 logSize + ) internal view returns (Fr[] memory) { + Fr[] memory foldPosEvaluations = new Fr[](logSize); + for (uint256 i = logSize; i > 0; --i) { + Fr challengePower = geminiEvalChallengePowers[i - 1]; + Fr u = sumcheckUChallenges[i - 1]; + + Fr batchedEvalRoundAcc = ( + (challengePower * batchedEvalAccumulator * Fr.wrap(2)) + - geminiEvaluations[i - 1] * (challengePower * (ONE - u) - u) + ); + // Divide by the denominator + batchedEvalRoundAcc = batchedEvalRoundAcc * (challengePower * (ONE - u) + u).invert(); + + batchedEvalAccumulator = batchedEvalRoundAcc; + foldPosEvaluations[i - 1] = batchedEvalRoundAcc; + } + return foldPosEvaluations; + } } uint256 constant Q = 21888242871839275222246405745257275088696311157297823662689037894645226208583; // EC group order. F_q function bytes32ToString(bytes32 value) pure returns (string memory result) { - bytes memory alphabet = "0123456789abcdef"; - - bytes memory str = new bytes(66); - str[0] = "0"; - str[1] = "x"; - for (uint256 i = 0; i < 32; i++) { - str[2 + i * 2] = alphabet[uint8(value[i] >> 4)]; - str[3 + i * 2] = alphabet[uint8(value[i] & 0x0f)]; - } - result = string(str); + bytes memory alphabet = "0123456789abcdef"; + + bytes memory str = new bytes(66); + str[0] = "0"; + str[1] = "x"; + for (uint256 i = 0; i < 32; i++) { + str[2 + i * 2] = alphabet[uint8(value[i] >> 4)]; + str[3 + i * 2] = alphabet[uint8(value[i] & 0x0f)]; + } + result = string(str); } // Fr utility function bytesToFr(bytes calldata proofSection) pure returns (Fr scalar) { - scalar = FrLib.fromBytes32(bytes32(proofSection)); + scalar = FrLib.fromBytes32(bytes32(proofSection)); } // EC Point utilities function bytesToG1Point(bytes calldata proofSection) pure returns (Honk.G1Point memory point) { - point = Honk.G1Point({ x: uint256(bytes32(proofSection[0x00:0x20])) % Q, y: uint256(bytes32(proofSection[0x20:0x40])) % Q }); + point = Honk.G1Point({ + x: uint256(bytes32(proofSection[0x00:0x20])) % Q, + y: uint256(bytes32(proofSection[0x20:0x40])) % Q + }); } function negateInplace(Honk.G1Point memory point) pure returns (Honk.G1Point memory) { - point.y = (Q - point.y) % Q; - return point; + point.y = (Q - point.y) % Q; + return point; } /** @@ -1641,32 +1648,33 @@ function negateInplace(Honk.G1Point memory point) pure returns (Honk.G1Point mem * @return lhs * @return rhs */ -function convertPairingPointsToG1( - Fr[PAIRING_POINTS_SIZE] memory pairingPoints -) pure returns (Honk.G1Point memory lhs, Honk.G1Point memory rhs) { - uint256 lhsX = Fr.unwrap(pairingPoints[0]); - lhsX |= Fr.unwrap(pairingPoints[1]) << 68; - lhsX |= Fr.unwrap(pairingPoints[2]) << 136; - lhsX |= Fr.unwrap(pairingPoints[3]) << 204; - lhs.x = lhsX; - - uint256 lhsY = Fr.unwrap(pairingPoints[4]); - lhsY |= Fr.unwrap(pairingPoints[5]) << 68; - lhsY |= Fr.unwrap(pairingPoints[6]) << 136; - lhsY |= Fr.unwrap(pairingPoints[7]) << 204; - lhs.y = lhsY; - - uint256 rhsX = Fr.unwrap(pairingPoints[8]); - rhsX |= Fr.unwrap(pairingPoints[9]) << 68; - rhsX |= Fr.unwrap(pairingPoints[10]) << 136; - rhsX |= Fr.unwrap(pairingPoints[11]) << 204; - rhs.x = rhsX; - - uint256 rhsY = Fr.unwrap(pairingPoints[12]); - rhsY |= Fr.unwrap(pairingPoints[13]) << 68; - rhsY |= Fr.unwrap(pairingPoints[14]) << 136; - rhsY |= Fr.unwrap(pairingPoints[15]) << 204; - rhs.y = rhsY; +function convertPairingPointsToG1(Fr[PAIRING_POINTS_SIZE] memory pairingPoints) + pure + returns (Honk.G1Point memory lhs, Honk.G1Point memory rhs) +{ + uint256 lhsX = Fr.unwrap(pairingPoints[0]); + lhsX |= Fr.unwrap(pairingPoints[1]) << 68; + lhsX |= Fr.unwrap(pairingPoints[2]) << 136; + lhsX |= Fr.unwrap(pairingPoints[3]) << 204; + lhs.x = lhsX; + + uint256 lhsY = Fr.unwrap(pairingPoints[4]); + lhsY |= Fr.unwrap(pairingPoints[5]) << 68; + lhsY |= Fr.unwrap(pairingPoints[6]) << 136; + lhsY |= Fr.unwrap(pairingPoints[7]) << 204; + lhs.y = lhsY; + + uint256 rhsX = Fr.unwrap(pairingPoints[8]); + rhsX |= Fr.unwrap(pairingPoints[9]) << 68; + rhsX |= Fr.unwrap(pairingPoints[10]) << 136; + rhsX |= Fr.unwrap(pairingPoints[11]) << 204; + rhs.x = rhsX; + + uint256 rhsY = Fr.unwrap(pairingPoints[12]); + rhsY |= Fr.unwrap(pairingPoints[13]) << 68; + rhsY |= Fr.unwrap(pairingPoints[14]) << 136; + rhsY |= Fr.unwrap(pairingPoints[15]) << 204; + rhs.y = rhsY; } /** @@ -1678,32 +1686,32 @@ function convertPairingPointsToG1( * @return recursionSeparator The recursion separator - generated from hashing the above. */ function generateRecursionSeparator( - Fr[PAIRING_POINTS_SIZE] memory proofPairingPoints, - Honk.G1Point memory accLhs, - Honk.G1Point memory accRhs + Fr[PAIRING_POINTS_SIZE] memory proofPairingPoints, + Honk.G1Point memory accLhs, + Honk.G1Point memory accRhs ) pure returns (Fr recursionSeparator) { - // hash the proof aggregated X - // hash the proof aggregated Y - // hash the accum X - // hash the accum Y + // hash the proof aggregated X + // hash the proof aggregated Y + // hash the accum X + // hash the accum Y - (Honk.G1Point memory proofLhs, Honk.G1Point memory proofRhs) = convertPairingPointsToG1(proofPairingPoints); + (Honk.G1Point memory proofLhs, Honk.G1Point memory proofRhs) = convertPairingPointsToG1(proofPairingPoints); - uint256[8] memory recursionSeparatorElements; + uint256[8] memory recursionSeparatorElements; - // Proof points - recursionSeparatorElements[0] = proofLhs.x; - recursionSeparatorElements[1] = proofLhs.y; - recursionSeparatorElements[2] = proofRhs.x; - recursionSeparatorElements[3] = proofRhs.y; + // Proof points + recursionSeparatorElements[0] = proofLhs.x; + recursionSeparatorElements[1] = proofLhs.y; + recursionSeparatorElements[2] = proofRhs.x; + recursionSeparatorElements[3] = proofRhs.y; - // Accumulator points - recursionSeparatorElements[4] = accLhs.x; - recursionSeparatorElements[5] = accLhs.y; - recursionSeparatorElements[6] = accRhs.x; - recursionSeparatorElements[7] = accRhs.y; + // Accumulator points + recursionSeparatorElements[4] = accLhs.x; + recursionSeparatorElements[5] = accLhs.y; + recursionSeparatorElements[6] = accRhs.x; + recursionSeparatorElements[7] = accRhs.y; - recursionSeparator = FrLib.fromBytes32(keccak256(abi.encodePacked(recursionSeparatorElements))); + recursionSeparator = FrLib.fromBytes32(keccak256(abi.encodePacked(recursionSeparatorElements))); } /** @@ -1715,17 +1723,16 @@ function generateRecursionSeparator( * @param recursionSeperator The separator to use for the multiplication. * @return `(recursionSeperator * basePoint) + other`. */ -function mulWithSeperator( - Honk.G1Point memory basePoint, - Honk.G1Point memory other, - Fr recursionSeperator -) view returns (Honk.G1Point memory) { - Honk.G1Point memory result; +function mulWithSeperator(Honk.G1Point memory basePoint, Honk.G1Point memory other, Fr recursionSeperator) + view + returns (Honk.G1Point memory) +{ + Honk.G1Point memory result; - result = ecMul(recursionSeperator, basePoint); - result = ecAdd(result, other); + result = ecMul(recursionSeperator, basePoint); + result = ecAdd(result, other); - return result; + return result; } /** @@ -1737,41 +1744,41 @@ function mulWithSeperator( * @return result The result of the multiplication. */ function ecMul(Fr value, Honk.G1Point memory point) view returns (Honk.G1Point memory) { - Honk.G1Point memory result; - - assembly { - let free := mload(0x40) - // Write the point into memory (two 32 byte words) - // Memory layout: - // Address | value - // free | point.x - // free + 0x20| point.y - mstore(free, mload(point)) - mstore(add(free, 0x20), mload(add(point, 0x20))) - // Write the scalar into memory (one 32 byte word) - // Memory layout: - // Address | value - // free + 0x40| value - mstore(add(free, 0x40), value) - - // Call the ecMul precompile, it takes in the following - // [point.x, point.y, scalar], and returns the result back into the free memory location. - let success := staticcall(gas(), 0x07, free, 0x60, free, 0x40) - if iszero(success) { - revert(0, 0) - } - // Copy the result of the multiplication back into the result memory location. - // Memory layout: - // Address | value - // result | result.x - // result + 0x20| result.y - mstore(result, mload(free)) - mstore(add(result, 0x20), mload(add(free, 0x20))) - - mstore(0x40, add(free, 0x60)) - } - - return result; + Honk.G1Point memory result; + + assembly { + let free := mload(0x40) + // Write the point into memory (two 32 byte words) + // Memory layout: + // Address | value + // free | point.x + // free + 0x20| point.y + mstore(free, mload(point)) + mstore(add(free, 0x20), mload(add(point, 0x20))) + // Write the scalar into memory (one 32 byte word) + // Memory layout: + // Address | value + // free + 0x40| value + mstore(add(free, 0x40), value) + + // Call the ecMul precompile, it takes in the following + // [point.x, point.y, scalar], and returns the result back into the free memory location. + let success := staticcall(gas(), 0x07, free, 0x60, free, 0x40) + if iszero(success) { + revert(0, 0) + } + // Copy the result of the multiplication back into the result memory location. + // Memory layout: + // Address | value + // result | result.x + // result + 0x20| result.y + mstore(result, mload(free)) + mstore(add(result, 0x20), mload(add(free, 0x20))) + + mstore(0x40, add(free, 0x60)) + } + + return result; } /** @@ -1783,637 +1790,649 @@ function ecMul(Fr value, Honk.G1Point memory point) view returns (Honk.G1Point m * @return result The result of the addition. */ function ecAdd(Honk.G1Point memory lhs, Honk.G1Point memory rhs) view returns (Honk.G1Point memory) { - Honk.G1Point memory result; - - assembly { - let free := mload(0x40) - // Write lhs into memory (two 32 byte words) - // Memory layout: - // Address | value - // free | lhs.x - // free + 0x20| lhs.y - mstore(free, mload(lhs)) - mstore(add(free, 0x20), mload(add(lhs, 0x20))) - - // Write rhs into memory (two 32 byte words) - // Memory layout: - // Address | value - // free + 0x40| rhs.x - // free + 0x60| rhs.y - mstore(add(free, 0x40), mload(rhs)) - mstore(add(free, 0x60), mload(add(rhs, 0x20))) - - // Call the ecAdd precompile, it takes in the following - // [lhs.x, lhs.y, rhs.x, rhs.y], and returns their addition back into the free memory location. - let success := staticcall(gas(), 0x06, free, 0x80, free, 0x40) - if iszero(success) { - revert(0, 0) - } - - // Copy the result of the addition back into the result memory location. - // Memory layout: - // Address | value - // result | result.x - // result + 0x20| result.y - mstore(result, mload(free)) - mstore(add(result, 0x20), mload(add(free, 0x20))) - - mstore(0x40, add(free, 0x80)) - } - - return result; + Honk.G1Point memory result; + + assembly { + let free := mload(0x40) + // Write lhs into memory (two 32 byte words) + // Memory layout: + // Address | value + // free | lhs.x + // free + 0x20| lhs.y + mstore(free, mload(lhs)) + mstore(add(free, 0x20), mload(add(lhs, 0x20))) + + // Write rhs into memory (two 32 byte words) + // Memory layout: + // Address | value + // free + 0x40| rhs.x + // free + 0x60| rhs.y + mstore(add(free, 0x40), mload(rhs)) + mstore(add(free, 0x60), mload(add(rhs, 0x20))) + + // Call the ecAdd precompile, it takes in the following + // [lhs.x, lhs.y, rhs.x, rhs.y], and returns their addition back into the free memory location. + let success := staticcall(gas(), 0x06, free, 0x80, free, 0x40) + if iszero(success) { revert(0, 0) } + + // Copy the result of the addition back into the result memory location. + // Memory layout: + // Address | value + // result | result.x + // result + 0x20| result.y + mstore(result, mload(free)) + mstore(add(result, 0x20), mload(add(free, 0x20))) + + mstore(0x40, add(free, 0x80)) + } + + return result; } function validateOnCurve(Honk.G1Point memory point) pure { - uint256 x = point.x; - uint256 y = point.y; + uint256 x = point.x; + uint256 y = point.y; - bool success = false; - assembly { - let xx := mulmod(x, x, Q) - success := eq(mulmod(y, y, Q), addmod(mulmod(x, xx, Q), 3, Q)) - } + bool success = false; + assembly { + let xx := mulmod(x, x, Q) + success := eq(mulmod(y, y, Q), addmod(mulmod(x, xx, Q), 3, Q)) + } - require(success, "point is not on the curve"); + require(success, "point is not on the curve"); } function pairing(Honk.G1Point memory rhs, Honk.G1Point memory lhs) view returns (bool decodedResult) { - bytes memory input = abi.encodePacked( - rhs.x, - rhs.y, - // Fixed G2 point - uint256(0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2), - uint256(0x1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed), - uint256(0x090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b), - uint256(0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa), - lhs.x, - lhs.y, - // G2 point from VK - uint256(0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1), - uint256(0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0), - uint256(0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4), - uint256(0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55) - ); - - (bool success, bytes memory result) = address(0x08).staticcall(input); - decodedResult = success && abi.decode(result, (bool)); + bytes memory input = abi.encodePacked( + rhs.x, + rhs.y, + // Fixed G2 point + uint256(0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2), + uint256(0x1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed), + uint256(0x090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b), + uint256(0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa), + lhs.x, + lhs.y, + // G2 point from VK + uint256(0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1), + uint256(0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0), + uint256(0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4), + uint256(0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55) + ); + + (bool success, bytes memory result) = address(0x08).staticcall(input); + decodedResult = success && abi.decode(result, (bool)); } // Field arithmetic libraries - prevent littering the code with modmul / addmul -abstract contract BaseZKHonkVerifier is IVerifier { - using FrLib for Fr; - - uint256 immutable $N; - uint256 immutable $LOG_N; - uint256 immutable $VK_HASH; - uint256 immutable $NUM_PUBLIC_INPUTS; - - constructor(uint256 _N, uint256 _logN, uint256 _vkHash, uint256 _numPublicInputs) { - $N = _N; - $LOG_N = _logN; - $VK_HASH = _vkHash; - $NUM_PUBLIC_INPUTS = _numPublicInputs; - } - - // Errors - error ProofLengthWrong(); - error ProofLengthWrongWithLogN(uint256 logN, uint256 actualLength, uint256 expectedLength); - error PublicInputsLengthWrong(); - error SumcheckFailed(); - error ShpleminiFailed(); - error GeminiChallengeInSubgroup(); - error ConsistencyCheckFailed(); - - // Constants for proof length calculation (matching UltraKeccakZKFlavor) - uint256 constant NUM_WITNESS_ENTITIES = 8; - uint256 constant NUM_ELEMENTS_COMM = 2; // uint256 elements for curve points - uint256 constant NUM_ELEMENTS_FR = 1; // uint256 elements for field elements - uint256 constant NUM_LIBRA_EVALUATIONS = 4; // libra evaluations - - // Calculate proof size based on log_n (matching UltraKeccakZKFlavor formula) - function calculateProofSize(uint256 logN) internal pure returns (uint256) { - // Witness and Libra commitments - uint256 proofLength = NUM_WITNESS_ENTITIES * NUM_ELEMENTS_COMM; // witness commitments - proofLength += NUM_ELEMENTS_COMM * 4; // Libra concat, grand sum, quotient comms + Gemini masking - - // Sumcheck - proofLength += logN * ZK_BATCHED_RELATION_PARTIAL_LENGTH * NUM_ELEMENTS_FR; // sumcheck univariates - proofLength += NUMBER_OF_ENTITIES * NUM_ELEMENTS_FR; // sumcheck evaluations - - // Libra and Gemini - proofLength += NUM_ELEMENTS_FR * 3; // Libra sum, claimed eval, Gemini masking eval - proofLength += logN * NUM_ELEMENTS_FR; // Gemini a evaluations - proofLength += NUM_LIBRA_EVALUATIONS * NUM_ELEMENTS_FR; // libra evaluations - // PCS commitments - proofLength += (logN - 1) * NUM_ELEMENTS_COMM; // Gemini Fold commitments - proofLength += NUM_ELEMENTS_COMM * 2; // Shplonk Q and KZG W commitments - // Pairing points - proofLength += PAIRING_POINTS_SIZE; // pairing inputs carried on public inputs - return proofLength; - } - - uint256 constant SHIFTED_COMMITMENTS_START = 30; - - function loadVerificationKey() internal pure virtual returns (Honk.VerificationKey memory); +abstract contract BaseZKHonkVerifier is IVerifier { + using FrLib for Fr; - function verify(bytes calldata proof, bytes32[] calldata publicInputs) public view override returns (bool verified) { - // Calculate expected proof size based on $LOG_N - uint256 expectedProofSize = calculateProofSize($LOG_N); + uint256 immutable $N; + uint256 immutable $LOG_N; + uint256 immutable $VK_HASH; + uint256 immutable $NUM_PUBLIC_INPUTS; - // Check the received proof is the expected size where each field element is 32 bytes - if (proof.length != expectedProofSize * 32) { - revert ProofLengthWrongWithLogN($LOG_N, proof.length, expectedProofSize * 32); + constructor(uint256 _N, uint256 _logN, uint256 _vkHash, uint256 _numPublicInputs) { + $N = _N; + $LOG_N = _logN; + $VK_HASH = _vkHash; + $NUM_PUBLIC_INPUTS = _numPublicInputs; } - Honk.VerificationKey memory vk = loadVerificationKey(); - Honk.ZKProof memory p = ZKTranscriptLib.loadProof(proof, $LOG_N); + // Errors + error ProofLengthWrong(); + error ProofLengthWrongWithLogN(uint256 logN, uint256 actualLength, uint256 expectedLength); + error PublicInputsLengthWrong(); + error SumcheckFailed(); + error ShpleminiFailed(); + error GeminiChallengeInSubgroup(); + error ConsistencyCheckFailed(); - if (publicInputs.length != vk.publicInputsSize - PAIRING_POINTS_SIZE) { - revert PublicInputsLengthWrong(); - } + // Constants for proof length calculation (matching UltraKeccakZKFlavor) + uint256 constant NUM_WITNESS_ENTITIES = 8; + uint256 constant NUM_ELEMENTS_COMM = 2; // uint256 elements for curve points + uint256 constant NUM_ELEMENTS_FR = 1; // uint256 elements for field elements + uint256 constant NUM_LIBRA_EVALUATIONS = 4; // libra evaluations - // Generate the fiat shamir challenges for the whole protocol - ZKTranscript memory t = ZKTranscriptLib.generateTranscript(p, publicInputs, $VK_HASH, $NUM_PUBLIC_INPUTS, $LOG_N); + // Calculate proof size based on log_n (matching UltraKeccakZKFlavor formula) + function calculateProofSize(uint256 logN) internal pure returns (uint256) { + // Witness and Libra commitments + uint256 proofLength = NUM_WITNESS_ENTITIES * NUM_ELEMENTS_COMM; // witness commitments + proofLength += NUM_ELEMENTS_COMM * 4; // Libra concat, grand sum, quotient comms + Gemini masking - // Derive public input delta - t.relationParameters.publicInputsDelta = computePublicInputDelta( - publicInputs, - p.pairingPointObject, - t.relationParameters.beta, - t.relationParameters.gamma /*pubInputsOffset=*/, - 1 - ); + // Sumcheck + proofLength += logN * ZK_BATCHED_RELATION_PARTIAL_LENGTH * NUM_ELEMENTS_FR; // sumcheck univariates + proofLength += NUMBER_OF_ENTITIES * NUM_ELEMENTS_FR; // sumcheck evaluations - // Sumcheck - if (!verifySumcheck(p, t)) revert SumcheckFailed(); + // Libra and Gemini + proofLength += NUM_ELEMENTS_FR * 3; // Libra sum, claimed eval, Gemini masking eval + proofLength += logN * NUM_ELEMENTS_FR; // Gemini a evaluations + proofLength += NUM_LIBRA_EVALUATIONS * NUM_ELEMENTS_FR; // libra evaluations - if (!verifyShplemini(p, vk, t)) revert ShpleminiFailed(); + // PCS commitments + proofLength += (logN - 1) * NUM_ELEMENTS_COMM; // Gemini Fold commitments + proofLength += NUM_ELEMENTS_COMM * 2; // Shplonk Q and KZG W commitments - verified = true; - } + // Pairing points + proofLength += PAIRING_POINTS_SIZE; // pairing inputs carried on public inputs - uint256 constant PERMUTATION_ARGUMENT_VALUE_SEPARATOR = 1 << 28; + return proofLength; + } - function computePublicInputDelta( - bytes32[] memory publicInputs, - Fr[PAIRING_POINTS_SIZE] memory pairingPointObject, - Fr beta, - Fr gamma, - uint256 offset - ) internal view returns (Fr publicInputDelta) { - Fr numerator = Fr.wrap(1); - Fr denominator = Fr.wrap(1); + uint256 constant SHIFTED_COMMITMENTS_START = 30; - Fr numeratorAcc = gamma + (beta * FrLib.from(PERMUTATION_ARGUMENT_VALUE_SEPARATOR + offset)); - Fr denominatorAcc = gamma - (beta * FrLib.from(offset + 1)); + function loadVerificationKey() internal pure virtual returns (Honk.VerificationKey memory); + function verify(bytes calldata proof, bytes32[] calldata publicInputs) + public + view + override + returns (bool verified) { - for (uint256 i = 0; i < $NUM_PUBLIC_INPUTS - PAIRING_POINTS_SIZE; i++) { - Fr pubInput = FrLib.fromBytes32(publicInputs[i]); - - numerator = numerator * (numeratorAcc + pubInput); - denominator = denominator * (denominatorAcc + pubInput); - - numeratorAcc = numeratorAcc + beta; - denominatorAcc = denominatorAcc - beta; - } + // Calculate expected proof size based on $LOG_N + uint256 expectedProofSize = calculateProofSize($LOG_N); - for (uint256 i = 0; i < PAIRING_POINTS_SIZE; i++) { - Fr pubInput = pairingPointObject[i]; + // Check the received proof is the expected size where each field element is 32 bytes + if (proof.length != expectedProofSize * 32) { + revert ProofLengthWrongWithLogN($LOG_N, proof.length, expectedProofSize * 32); + } - numerator = numerator * (numeratorAcc + pubInput); - denominator = denominator * (denominatorAcc + pubInput); + Honk.VerificationKey memory vk = loadVerificationKey(); + Honk.ZKProof memory p = ZKTranscriptLib.loadProof(proof, $LOG_N); - numeratorAcc = numeratorAcc + beta; - denominatorAcc = denominatorAcc - beta; - } - } + if (publicInputs.length != vk.publicInputsSize - PAIRING_POINTS_SIZE) { + revert PublicInputsLengthWrong(); + } - // Fr delta = numerator / denominator; // TOOO: batch invert later? - publicInputDelta = FrLib.div(numerator, denominator); - } + // Generate the fiat shamir challenges for the whole protocol + ZKTranscript memory t = + ZKTranscriptLib.generateTranscript(p, publicInputs, $VK_HASH, $NUM_PUBLIC_INPUTS, $LOG_N); - function verifySumcheck(Honk.ZKProof memory proof, ZKTranscript memory tp) internal view returns (bool verified) { - Fr roundTargetSum = tp.libraChallenge * proof.libraSum; // default 0 - Fr powPartialEvaluation = Fr.wrap(1); + // Derive public input delta + t.relationParameters.publicInputsDelta = computePublicInputDelta( + publicInputs, + p.pairingPointObject, + t.relationParameters.beta, + t.relationParameters.gamma, /*pubInputsOffset=*/ + 1 + ); - // We perform sumcheck reductions over log n rounds ( the multivariate degree ) - for (uint256 round; round < $LOG_N; ++round) { - Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariate = proof.sumcheckUnivariates[round]; - Fr totalSum = roundUnivariate[0] + roundUnivariate[1]; - if (totalSum != roundTargetSum) revert SumcheckFailed(); + // Sumcheck + if (!verifySumcheck(p, t)) revert SumcheckFailed(); - Fr roundChallenge = tp.sumCheckUChallenges[round]; + if (!verifyShplemini(p, vk, t)) revert ShpleminiFailed(); - // Update the round target for the next rounf - roundTargetSum = computeNextTargetSum(roundUnivariate, roundChallenge); - powPartialEvaluation = powPartialEvaluation * (Fr.wrap(1) + roundChallenge * (tp.gateChallenges[round] - Fr.wrap(1))); + verified = true; } - // Last round - Fr grandHonkRelationSum = RelationsLib.accumulateRelationEvaluations( - proof.sumcheckEvaluations, - tp.relationParameters, - tp.alphas, - powPartialEvaluation - ); - - Fr evaluation = Fr.wrap(1); - for (uint256 i = 2; i < $LOG_N; i++) { - evaluation = evaluation * tp.sumCheckUChallenges[i]; - } - - grandHonkRelationSum = grandHonkRelationSum * (Fr.wrap(1) - evaluation) + proof.libraEvaluation * tp.libraChallenge; - verified = (grandHonkRelationSum == roundTargetSum); - } - - // Return the new target sum for the next sumcheck round - function computeNextTargetSum( - Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariates, - Fr roundChallenge - ) internal view returns (Fr targetSum) { - Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory BARYCENTRIC_LAGRANGE_DENOMINATORS = [ - Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000009d80), - Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffec51), - Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000005a0), - Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593effffd31), - Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000000240), - Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593effffd31), - Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000005a0), - Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffec51), - Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000009d80) - ]; - - // To compute the next target sum, we evaluate the given univariate at a point u (challenge). - - // Performing Barycentric evaluations - // Compute B(x) - Fr numeratorValue = Fr.wrap(1); - for (uint256 i = 0; i < ZK_BATCHED_RELATION_PARTIAL_LENGTH; ++i) { - numeratorValue = numeratorValue * (roundChallenge - Fr.wrap(i)); - } - - Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory denominatorInverses; - for (uint256 i = 0; i < ZK_BATCHED_RELATION_PARTIAL_LENGTH; ++i) { - denominatorInverses[i] = FrLib.invert(BARYCENTRIC_LAGRANGE_DENOMINATORS[i] * (roundChallenge - Fr.wrap(i))); - } - - for (uint256 i = 0; i < ZK_BATCHED_RELATION_PARTIAL_LENGTH; ++i) { - targetSum = targetSum + roundUnivariates[i] * denominatorInverses[i]; - } - - // Scale the sum by the value of B(x) - targetSum = targetSum * numeratorValue; - } - - uint256 constant LIBRA_COMMITMENTS = 3; - uint256 constant LIBRA_EVALUATIONS = 4; - uint256 constant LIBRA_UNIVARIATES_LENGTH = 9; - - struct PairingInputs { - Honk.G1Point P_0; - Honk.G1Point P_1; - } - - function verifyShplemini( - Honk.ZKProof memory proof, - Honk.VerificationKey memory vk, - ZKTranscript memory tp - ) internal view returns (bool verified) { - CommitmentSchemeLib.ShpleminiIntermediates memory mem; // stack - - // - Compute vector (r, r², ... , r²⁽ⁿ⁻¹⁾), where n = log_circuit_size - Fr[] memory powers_of_evaluation_challenge = CommitmentSchemeLib.computeSquares(tp.geminiR, $LOG_N); - // Arrays hold values that will be linearly combined for the gemini and shplonk batch openings - Fr[] memory scalars = new Fr[](NUMBER_UNSHIFTED + $LOG_N + LIBRA_COMMITMENTS + 3); - Honk.G1Point[] memory commitments = new Honk.G1Point[](NUMBER_UNSHIFTED + $LOG_N + LIBRA_COMMITMENTS + 3); - - mem.posInvertedDenominator = (tp.shplonkZ - powers_of_evaluation_challenge[0]).invert(); - mem.negInvertedDenominator = (tp.shplonkZ + powers_of_evaluation_challenge[0]).invert(); - - mem.unshiftedScalar = mem.posInvertedDenominator + (tp.shplonkNu * mem.negInvertedDenominator); - mem.shiftedScalar = tp.geminiR.invert() * (mem.posInvertedDenominator - (tp.shplonkNu * mem.negInvertedDenominator)); - - scalars[0] = Fr.wrap(1); - commitments[0] = proof.shplonkQ; - - /* Batch multivariate opening claims, shifted and unshifted - * The vector of scalars is populated as follows: - * \f[ - * \left( - * - \left(\frac{1}{z-r} + \nu \times \frac{1}{z+r}\right), - * \ldots, - * - \rho^{i+k-1} \times \left(\frac{1}{z-r} + \nu \times \frac{1}{z+r}\right), - * - \rho^{i+k} \times \frac{1}{r} \times \left(\frac{1}{z-r} - \nu \times \frac{1}{z+r}\right), - * \ldots, - * - \rho^{k+m-1} \times \frac{1}{r} \times \left(\frac{1}{z-r} - \nu \times \frac{1}{z+r}\right) - * \right) - * \f] - * - * The following vector is concatenated to the vector of commitments: - * \f[ - * f_0, \ldots, f_{m-1}, f_{\text{shift}, 0}, \ldots, f_{\text{shift}, k-1} - * \f] - * - * Simultaneously, the evaluation of the multilinear polynomial - * \f[ - * \sum \rho^i \cdot f_i + \sum \rho^{i+k} \cdot f_{\text{shift}, i} - * \f] - * at the challenge point \f$ (u_0,\ldots, u_{n-1}) \f$ is computed. - * - * This approach minimizes the number of iterations over the commitments to multilinear polynomials - * and eliminates the need to store the powers of \f$ \rho \f$. - */ - mem.batchedEvaluation = proof.geminiMaskingEval; - mem.batchingChallenge = tp.rho; - mem.unshiftedScalarNeg = mem.unshiftedScalar.neg(); - mem.shiftedScalarNeg = mem.shiftedScalar.neg(); - - scalars[1] = mem.unshiftedScalarNeg; - for (uint256 i = 0; i < NUMBER_UNSHIFTED; ++i) { - scalars[i + 2] = mem.unshiftedScalarNeg * mem.batchingChallenge; - mem.batchedEvaluation = mem.batchedEvaluation + (proof.sumcheckEvaluations[i] * mem.batchingChallenge); - mem.batchingChallenge = mem.batchingChallenge * tp.rho; - } - // g commitments are accumulated at r - // For each of the to be shifted commitments perform the shift in place by - // adding to the unshifted value. - // We do so, as the values are to be used in batchMul later, and as - // `a * c + b * c = (a + b) * c` this will allow us to reduce memory and compute. - // Applied to w1, w2, w3, w4 and zPerm - for (uint256 i = 0; i < NUMBER_TO_BE_SHIFTED; ++i) { - uint256 scalarOff = i + SHIFTED_COMMITMENTS_START; - uint256 evaluationOff = i + NUMBER_UNSHIFTED; - - scalars[scalarOff] = scalars[scalarOff] + (mem.shiftedScalarNeg * mem.batchingChallenge); - mem.batchedEvaluation = mem.batchedEvaluation + (proof.sumcheckEvaluations[evaluationOff] * mem.batchingChallenge); - mem.batchingChallenge = mem.batchingChallenge * tp.rho; - } - - commitments[1] = proof.geminiMaskingPoly; - - commitments[2] = vk.qm; - commitments[3] = vk.qc; - commitments[4] = vk.ql; - commitments[5] = vk.qr; - commitments[6] = vk.qo; - commitments[7] = vk.q4; - commitments[8] = vk.qLookup; - commitments[9] = vk.qArith; - commitments[10] = vk.qDeltaRange; - commitments[11] = vk.qElliptic; - commitments[12] = vk.qMemory; - commitments[13] = vk.qNnf; - commitments[14] = vk.qPoseidon2External; - commitments[15] = vk.qPoseidon2Internal; - commitments[16] = vk.s1; - commitments[17] = vk.s2; - commitments[18] = vk.s3; - commitments[19] = vk.s4; - commitments[20] = vk.id1; - commitments[21] = vk.id2; - commitments[22] = vk.id3; - commitments[23] = vk.id4; - commitments[24] = vk.t1; - commitments[25] = vk.t2; - commitments[26] = vk.t3; - commitments[27] = vk.t4; - commitments[28] = vk.lagrangeFirst; - commitments[29] = vk.lagrangeLast; - - // Accumulate proof points - commitments[30] = proof.w1; - commitments[31] = proof.w2; - commitments[32] = proof.w3; - commitments[33] = proof.w4; - commitments[34] = proof.zPerm; - commitments[35] = proof.lookupInverses; - commitments[36] = proof.lookupReadCounts; - commitments[37] = proof.lookupReadTags; - - /* Batch gemini claims from the prover - * place the commitments to gemini aᵢ to the vector of commitments, compute the contributions from - * aᵢ(−r²ⁱ) for i=1, … , n−1 to the constant term accumulator, add corresponding scalars - * - * 1. Moves the vector - * \f[ - * \left( \text{com}(A_1), \text{com}(A_2), \ldots, \text{com}(A_{n-1}) \right) - * \f] - * to the 'commitments' vector. - * - * 2. Computes the scalars: - * \f[ - * \frac{\nu^{2}}{z + r^2}, \frac{\nu^3}{z + r^4}, \ldots, \frac{\nu^{n-1}}{z + r^{2^{n-1}}} - * \f] - * and places them into the 'scalars' vector. - * - * 3. Accumulates the summands of the constant term: - * \f[ - * \sum_{i=2}^{n-1} \frac{\nu^{i} \cdot A_i(-r^{2^i})}{z + r^{2^i}} - * \f] - * and adds them to the 'constant_term_accumulator'. - */ - - // Add contributions from A₀(r) and A₀(-r) to constant_term_accumulator: - // Compute the evaluations Aₗ(r^{2ˡ}) for l = 0, ..., $LOG_N - 1 - Fr[] memory foldPosEvaluations = CommitmentSchemeLib.computeFoldPosEvaluations( - tp.sumCheckUChallenges, - mem.batchedEvaluation, - proof.geminiAEvaluations, - powers_of_evaluation_challenge, - $LOG_N - ); + uint256 constant PERMUTATION_ARGUMENT_VALUE_SEPARATOR = 1 << 28; - mem.constantTermAccumulator = foldPosEvaluations[0] * mem.posInvertedDenominator; - mem.constantTermAccumulator = mem.constantTermAccumulator + (proof.geminiAEvaluations[0] * tp.shplonkNu * mem.negInvertedDenominator); + function computePublicInputDelta( + bytes32[] memory publicInputs, + Fr[PAIRING_POINTS_SIZE] memory pairingPointObject, + Fr beta, + Fr gamma, + uint256 offset + ) internal view returns (Fr publicInputDelta) { + Fr numerator = Fr.wrap(1); + Fr denominator = Fr.wrap(1); - mem.batchingChallenge = tp.shplonkNu.sqr(); - uint256 boundary = NUMBER_UNSHIFTED + 2; + Fr numeratorAcc = gamma + (beta * FrLib.from(PERMUTATION_ARGUMENT_VALUE_SEPARATOR + offset)); + Fr denominatorAcc = gamma - (beta * FrLib.from(offset + 1)); - // Compute Shplonk constant term contributions from Aₗ(± r^{2ˡ}) for l = 1, ..., m-1; - // Compute scalar multipliers for each fold commitment - for (uint256 i = 0; i < $LOG_N - 1; ++i) { - bool dummy_round = i >= ($LOG_N - 1); + { + for (uint256 i = 0; i < $NUM_PUBLIC_INPUTS - PAIRING_POINTS_SIZE; i++) { + Fr pubInput = FrLib.fromBytes32(publicInputs[i]); - if (!dummy_round) { - // Update inverted denominators - mem.posInvertedDenominator = (tp.shplonkZ - powers_of_evaluation_challenge[i + 1]).invert(); - mem.negInvertedDenominator = (tp.shplonkZ + powers_of_evaluation_challenge[i + 1]).invert(); - - // Compute the scalar multipliers for Aₗ(± r^{2ˡ}) and [Aₗ] - mem.scalingFactorPos = mem.batchingChallenge * mem.posInvertedDenominator; - mem.scalingFactorNeg = mem.batchingChallenge * tp.shplonkNu * mem.negInvertedDenominator; - scalars[boundary + i] = mem.scalingFactorNeg.neg() + mem.scalingFactorPos.neg(); + numerator = numerator * (numeratorAcc + pubInput); + denominator = denominator * (denominatorAcc + pubInput); - // Accumulate the const term contribution given by - // v^{2l} * Aₗ(r^{2ˡ}) /(z-r^{2^l}) + v^{2l+1} * Aₗ(-r^{2ˡ}) /(z+ r^{2^l}) - Fr accumContribution = mem.scalingFactorNeg * proof.geminiAEvaluations[i + 1]; - accumContribution = accumContribution + mem.scalingFactorPos * foldPosEvaluations[i + 1]; - mem.constantTermAccumulator = mem.constantTermAccumulator + accumContribution; - } - // Update the running power of v - mem.batchingChallenge = mem.batchingChallenge * tp.shplonkNu * tp.shplonkNu; + numeratorAcc = numeratorAcc + beta; + denominatorAcc = denominatorAcc - beta; + } - commitments[boundary + i] = proof.geminiFoldComms[i]; - } + for (uint256 i = 0; i < PAIRING_POINTS_SIZE; i++) { + Fr pubInput = pairingPointObject[i]; - boundary += $LOG_N - 1; + numerator = numerator * (numeratorAcc + pubInput); + denominator = denominator * (denominatorAcc + pubInput); - // Finalize the batch opening claim - mem.denominators[0] = Fr.wrap(1).div(tp.shplonkZ - tp.geminiR); - mem.denominators[1] = Fr.wrap(1).div(tp.shplonkZ - SUBGROUP_GENERATOR * tp.geminiR); - mem.denominators[2] = mem.denominators[0]; - mem.denominators[3] = mem.denominators[0]; + numeratorAcc = numeratorAcc + beta; + denominatorAcc = denominatorAcc - beta; + } + } - mem.batchingChallenge = mem.batchingChallenge * tp.shplonkNu * tp.shplonkNu; - for (uint256 i = 0; i < LIBRA_EVALUATIONS; i++) { - Fr scalingFactor = mem.denominators[i] * mem.batchingChallenge; - mem.batchingScalars[i] = scalingFactor.neg(); - mem.batchingChallenge = mem.batchingChallenge * tp.shplonkNu; - mem.constantTermAccumulator = mem.constantTermAccumulator + scalingFactor * proof.libraPolyEvals[i]; + // Fr delta = numerator / denominator; // TOOO: batch invert later? + publicInputDelta = FrLib.div(numerator, denominator); } - scalars[boundary] = mem.batchingScalars[0]; - scalars[boundary + 1] = mem.batchingScalars[1] + mem.batchingScalars[2]; - scalars[boundary + 2] = mem.batchingScalars[3]; - for (uint256 i = 0; i < LIBRA_COMMITMENTS; i++) { - commitments[boundary++] = proof.libraCommitments[i]; - } - - commitments[boundary] = Honk.G1Point({ x: 1, y: 2 }); - scalars[boundary++] = mem.constantTermAccumulator; + function verifySumcheck(Honk.ZKProof memory proof, ZKTranscript memory tp) internal view returns (bool verified) { + Fr roundTargetSum = tp.libraChallenge * proof.libraSum; // default 0 + Fr powPartialEvaluation = Fr.wrap(1); - if (!checkEvalsConsistency(proof.libraPolyEvals, tp.geminiR, tp.sumCheckUChallenges, proof.libraEvaluation)) { - revert ConsistencyCheckFailed(); - } + // We perform sumcheck reductions over log n rounds ( the multivariate degree ) + for (uint256 round; round < $LOG_N; ++round) { + Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariate = proof.sumcheckUnivariates[round]; + Fr totalSum = roundUnivariate[0] + roundUnivariate[1]; + if (totalSum != roundTargetSum) revert SumcheckFailed(); - Honk.G1Point memory quotient_commitment = proof.kzgQuotient; + Fr roundChallenge = tp.sumCheckUChallenges[round]; - commitments[boundary] = quotient_commitment; - scalars[boundary] = tp.shplonkZ; // evaluation challenge + // Update the round target for the next rounf + roundTargetSum = computeNextTargetSum(roundUnivariate, roundChallenge); + powPartialEvaluation = + powPartialEvaluation * (Fr.wrap(1) + roundChallenge * (tp.gateChallenges[round] - Fr.wrap(1))); + } - PairingInputs memory pair; - pair.P_0 = batchMul(commitments, scalars); - pair.P_1 = negateInplace(quotient_commitment); + // Last round + Fr grandHonkRelationSum = RelationsLib.accumulateRelationEvaluations( + proof.sumcheckEvaluations, tp.relationParameters, tp.alphas, powPartialEvaluation + ); - // Aggregate pairing points - Fr recursionSeparator = generateRecursionSeparator(proof.pairingPointObject, pair.P_0, pair.P_1); - (Honk.G1Point memory P_0_other, Honk.G1Point memory P_1_other) = convertPairingPointsToG1(proof.pairingPointObject); - - // Validate the points from the proof are on the curve - validateOnCurve(P_0_other); - validateOnCurve(P_1_other); - - // accumulate with aggregate points in proof - pair.P_0 = mulWithSeperator(pair.P_0, P_0_other, recursionSeparator); - pair.P_1 = mulWithSeperator(pair.P_1, P_1_other, recursionSeparator); - - return pairing(pair.P_0, pair.P_1); - } - - struct SmallSubgroupIpaIntermediates { - Fr[SUBGROUP_SIZE] challengePolyLagrange; - Fr challengePolyEval; - Fr lagrangeFirst; - Fr lagrangeLast; - Fr rootPower; - Fr[SUBGROUP_SIZE] denominators; // this has to disappear - Fr diff; - } - - function checkEvalsConsistency( - Fr[LIBRA_EVALUATIONS] memory libraPolyEvals, - Fr geminiR, - Fr[CONST_PROOF_SIZE_LOG_N] memory uChallenges, - Fr libraEval - ) internal view returns (bool check) { - Fr one = Fr.wrap(1); - Fr vanishingPolyEval = geminiR.pow(SUBGROUP_SIZE) - one; - if (vanishingPolyEval == Fr.wrap(0)) { - revert GeminiChallengeInSubgroup(); - } + Fr evaluation = Fr.wrap(1); + for (uint256 i = 2; i < $LOG_N; i++) { + evaluation = evaluation * tp.sumCheckUChallenges[i]; + } - SmallSubgroupIpaIntermediates memory mem; - mem.challengePolyLagrange[0] = one; - for (uint256 round = 0; round < $LOG_N; round++) { - uint256 currIdx = 1 + LIBRA_UNIVARIATES_LENGTH * round; - mem.challengePolyLagrange[currIdx] = one; - for (uint256 idx = currIdx + 1; idx < currIdx + LIBRA_UNIVARIATES_LENGTH; idx++) { - mem.challengePolyLagrange[idx] = mem.challengePolyLagrange[idx - 1] * uChallenges[round]; - } + grandHonkRelationSum = + grandHonkRelationSum * (Fr.wrap(1) - evaluation) + proof.libraEvaluation * tp.libraChallenge; + verified = (grandHonkRelationSum == roundTargetSum); } - mem.rootPower = one; - mem.challengePolyEval = Fr.wrap(0); - for (uint256 idx = 0; idx < SUBGROUP_SIZE; idx++) { - mem.denominators[idx] = mem.rootPower * geminiR - one; - mem.denominators[idx] = mem.denominators[idx].invert(); - mem.challengePolyEval = mem.challengePolyEval + mem.challengePolyLagrange[idx] * mem.denominators[idx]; - mem.rootPower = mem.rootPower * SUBGROUP_GENERATOR_INVERSE; - } - - Fr numerator = vanishingPolyEval * Fr.wrap(SUBGROUP_SIZE).invert(); - mem.challengePolyEval = mem.challengePolyEval * numerator; - mem.lagrangeFirst = mem.denominators[0] * numerator; - mem.lagrangeLast = mem.denominators[SUBGROUP_SIZE - 1] * numerator; - - mem.diff = mem.lagrangeFirst * libraPolyEvals[2]; - - mem.diff = - mem.diff + - (geminiR - SUBGROUP_GENERATOR_INVERSE) * - (libraPolyEvals[1] - libraPolyEvals[2] - libraPolyEvals[0] * mem.challengePolyEval); - mem.diff = mem.diff + mem.lagrangeLast * (libraPolyEvals[2] - libraEval) - vanishingPolyEval * libraPolyEvals[3]; - - check = mem.diff == Fr.wrap(0); - } + // Return the new target sum for the next sumcheck round + function computeNextTargetSum(Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariates, Fr roundChallenge) + internal + view + returns (Fr targetSum) + { + Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory BARYCENTRIC_LAGRANGE_DENOMINATORS = [ + Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000009d80), + Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffec51), + Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000005a0), + Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593effffd31), + Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000000240), + Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593effffd31), + Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000005a0), + Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffec51), + Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000009d80) + ]; + + // To compute the next target sum, we evaluate the given univariate at a point u (challenge). + + // Performing Barycentric evaluations + // Compute B(x) + Fr numeratorValue = Fr.wrap(1); + for (uint256 i = 0; i < ZK_BATCHED_RELATION_PARTIAL_LENGTH; ++i) { + numeratorValue = numeratorValue * (roundChallenge - Fr.wrap(i)); + } + + Fr[ZK_BATCHED_RELATION_PARTIAL_LENGTH] memory denominatorInverses; + for (uint256 i = 0; i < ZK_BATCHED_RELATION_PARTIAL_LENGTH; ++i) { + denominatorInverses[i] = FrLib.invert(BARYCENTRIC_LAGRANGE_DENOMINATORS[i] * (roundChallenge - Fr.wrap(i))); + } + + for (uint256 i = 0; i < ZK_BATCHED_RELATION_PARTIAL_LENGTH; ++i) { + targetSum = targetSum + roundUnivariates[i] * denominatorInverses[i]; + } + + // Scale the sum by the value of B(x) + targetSum = targetSum * numeratorValue; + } + + uint256 constant LIBRA_COMMITMENTS = 3; + uint256 constant LIBRA_EVALUATIONS = 4; + uint256 constant LIBRA_UNIVARIATES_LENGTH = 9; + + struct PairingInputs { + Honk.G1Point P_0; + Honk.G1Point P_1; + } + + function verifyShplemini(Honk.ZKProof memory proof, Honk.VerificationKey memory vk, ZKTranscript memory tp) + internal + view + returns (bool verified) + { + CommitmentSchemeLib.ShpleminiIntermediates memory mem; // stack + + // - Compute vector (r, r², ... , r²⁽ⁿ⁻¹⁾), where n = log_circuit_size + Fr[] memory powers_of_evaluation_challenge = CommitmentSchemeLib.computeSquares(tp.geminiR, $LOG_N); + // Arrays hold values that will be linearly combined for the gemini and shplonk batch openings + Fr[] memory scalars = new Fr[](NUMBER_UNSHIFTED + $LOG_N + LIBRA_COMMITMENTS + 3); + Honk.G1Point[] memory commitments = new Honk.G1Point[](NUMBER_UNSHIFTED + $LOG_N + LIBRA_COMMITMENTS + 3); + + mem.posInvertedDenominator = (tp.shplonkZ - powers_of_evaluation_challenge[0]).invert(); + mem.negInvertedDenominator = (tp.shplonkZ + powers_of_evaluation_challenge[0]).invert(); + + mem.unshiftedScalar = mem.posInvertedDenominator + (tp.shplonkNu * mem.negInvertedDenominator); + mem.shiftedScalar = + tp.geminiR.invert() * (mem.posInvertedDenominator - (tp.shplonkNu * mem.negInvertedDenominator)); + + scalars[0] = Fr.wrap(1); + commitments[0] = proof.shplonkQ; + + /* Batch multivariate opening claims, shifted and unshifted + * The vector of scalars is populated as follows: + * \f[ + * \left( + * - \left(\frac{1}{z-r} + \nu \times \frac{1}{z+r}\right), + * \ldots, + * - \rho^{i+k-1} \times \left(\frac{1}{z-r} + \nu \times \frac{1}{z+r}\right), + * - \rho^{i+k} \times \frac{1}{r} \times \left(\frac{1}{z-r} - \nu \times \frac{1}{z+r}\right), + * \ldots, + * - \rho^{k+m-1} \times \frac{1}{r} \times \left(\frac{1}{z-r} - \nu \times \frac{1}{z+r}\right) + * \right) + * \f] + * + * The following vector is concatenated to the vector of commitments: + * \f[ + * f_0, \ldots, f_{m-1}, f_{\text{shift}, 0}, \ldots, f_{\text{shift}, k-1} + * \f] + * + * Simultaneously, the evaluation of the multilinear polynomial + * \f[ + * \sum \rho^i \cdot f_i + \sum \rho^{i+k} \cdot f_{\text{shift}, i} + * \f] + * at the challenge point \f$ (u_0,\ldots, u_{n-1}) \f$ is computed. + * + * This approach minimizes the number of iterations over the commitments to multilinear polynomials + * and eliminates the need to store the powers of \f$ \rho \f$. + */ + mem.batchedEvaluation = proof.geminiMaskingEval; + mem.batchingChallenge = tp.rho; + mem.unshiftedScalarNeg = mem.unshiftedScalar.neg(); + mem.shiftedScalarNeg = mem.shiftedScalar.neg(); + + scalars[1] = mem.unshiftedScalarNeg; + for (uint256 i = 0; i < NUMBER_UNSHIFTED; ++i) { + scalars[i + 2] = mem.unshiftedScalarNeg * mem.batchingChallenge; + mem.batchedEvaluation = mem.batchedEvaluation + (proof.sumcheckEvaluations[i] * mem.batchingChallenge); + mem.batchingChallenge = mem.batchingChallenge * tp.rho; + } + // g commitments are accumulated at r + // For each of the to be shifted commitments perform the shift in place by + // adding to the unshifted value. + // We do so, as the values are to be used in batchMul later, and as + // `a * c + b * c = (a + b) * c` this will allow us to reduce memory and compute. + // Applied to w1, w2, w3, w4 and zPerm + for (uint256 i = 0; i < NUMBER_TO_BE_SHIFTED; ++i) { + uint256 scalarOff = i + SHIFTED_COMMITMENTS_START; + uint256 evaluationOff = i + NUMBER_UNSHIFTED; + + scalars[scalarOff] = scalars[scalarOff] + (mem.shiftedScalarNeg * mem.batchingChallenge); + mem.batchedEvaluation = + mem.batchedEvaluation + (proof.sumcheckEvaluations[evaluationOff] * mem.batchingChallenge); + mem.batchingChallenge = mem.batchingChallenge * tp.rho; + } + + commitments[1] = proof.geminiMaskingPoly; + + commitments[2] = vk.qm; + commitments[3] = vk.qc; + commitments[4] = vk.ql; + commitments[5] = vk.qr; + commitments[6] = vk.qo; + commitments[7] = vk.q4; + commitments[8] = vk.qLookup; + commitments[9] = vk.qArith; + commitments[10] = vk.qDeltaRange; + commitments[11] = vk.qElliptic; + commitments[12] = vk.qMemory; + commitments[13] = vk.qNnf; + commitments[14] = vk.qPoseidon2External; + commitments[15] = vk.qPoseidon2Internal; + commitments[16] = vk.s1; + commitments[17] = vk.s2; + commitments[18] = vk.s3; + commitments[19] = vk.s4; + commitments[20] = vk.id1; + commitments[21] = vk.id2; + commitments[22] = vk.id3; + commitments[23] = vk.id4; + commitments[24] = vk.t1; + commitments[25] = vk.t2; + commitments[26] = vk.t3; + commitments[27] = vk.t4; + commitments[28] = vk.lagrangeFirst; + commitments[29] = vk.lagrangeLast; + + // Accumulate proof points + commitments[30] = proof.w1; + commitments[31] = proof.w2; + commitments[32] = proof.w3; + commitments[33] = proof.w4; + commitments[34] = proof.zPerm; + commitments[35] = proof.lookupInverses; + commitments[36] = proof.lookupReadCounts; + commitments[37] = proof.lookupReadTags; + + /* Batch gemini claims from the prover + * place the commitments to gemini aᵢ to the vector of commitments, compute the contributions from + * aᵢ(−r²ⁱ) for i=1, … , n−1 to the constant term accumulator, add corresponding scalars + * + * 1. Moves the vector + * \f[ + * \left( \text{com}(A_1), \text{com}(A_2), \ldots, \text{com}(A_{n-1}) \right) + * \f] + * to the 'commitments' vector. + * + * 2. Computes the scalars: + * \f[ + * \frac{\nu^{2}}{z + r^2}, \frac{\nu^3}{z + r^4}, \ldots, \frac{\nu^{n-1}}{z + r^{2^{n-1}}} + * \f] + * and places them into the 'scalars' vector. + * + * 3. Accumulates the summands of the constant term: + * \f[ + * \sum_{i=2}^{n-1} \frac{\nu^{i} \cdot A_i(-r^{2^i})}{z + r^{2^i}} + * \f] + * and adds them to the 'constant_term_accumulator'. + */ + + // Add contributions from A₀(r) and A₀(-r) to constant_term_accumulator: + // Compute the evaluations Aₗ(r^{2ˡ}) for l = 0, ..., $LOG_N - 1 + Fr[] memory foldPosEvaluations = CommitmentSchemeLib.computeFoldPosEvaluations( + tp.sumCheckUChallenges, + mem.batchedEvaluation, + proof.geminiAEvaluations, + powers_of_evaluation_challenge, + $LOG_N + ); + + mem.constantTermAccumulator = foldPosEvaluations[0] * mem.posInvertedDenominator; + mem.constantTermAccumulator = + mem.constantTermAccumulator + (proof.geminiAEvaluations[0] * tp.shplonkNu * mem.negInvertedDenominator); + + mem.batchingChallenge = tp.shplonkNu.sqr(); + uint256 boundary = NUMBER_UNSHIFTED + 2; + + // Compute Shplonk constant term contributions from Aₗ(± r^{2ˡ}) for l = 1, ..., m-1; + // Compute scalar multipliers for each fold commitment + for (uint256 i = 0; i < $LOG_N - 1; ++i) { + bool dummy_round = i >= ($LOG_N - 1); + + if (!dummy_round) { + // Update inverted denominators + mem.posInvertedDenominator = (tp.shplonkZ - powers_of_evaluation_challenge[i + 1]).invert(); + mem.negInvertedDenominator = (tp.shplonkZ + powers_of_evaluation_challenge[i + 1]).invert(); + + // Compute the scalar multipliers for Aₗ(± r^{2ˡ}) and [Aₗ] + mem.scalingFactorPos = mem.batchingChallenge * mem.posInvertedDenominator; + mem.scalingFactorNeg = mem.batchingChallenge * tp.shplonkNu * mem.negInvertedDenominator; + scalars[boundary + i] = mem.scalingFactorNeg.neg() + mem.scalingFactorPos.neg(); + + // Accumulate the const term contribution given by + // v^{2l} * Aₗ(r^{2ˡ}) /(z-r^{2^l}) + v^{2l+1} * Aₗ(-r^{2ˡ}) /(z+ r^{2^l}) + Fr accumContribution = mem.scalingFactorNeg * proof.geminiAEvaluations[i + 1]; + accumContribution = accumContribution + mem.scalingFactorPos * foldPosEvaluations[i + 1]; + mem.constantTermAccumulator = mem.constantTermAccumulator + accumContribution; + } + // Update the running power of v + mem.batchingChallenge = mem.batchingChallenge * tp.shplonkNu * tp.shplonkNu; + + commitments[boundary + i] = proof.geminiFoldComms[i]; + } + + boundary += $LOG_N - 1; + + // Finalize the batch opening claim + mem.denominators[0] = Fr.wrap(1).div(tp.shplonkZ - tp.geminiR); + mem.denominators[1] = Fr.wrap(1).div(tp.shplonkZ - SUBGROUP_GENERATOR * tp.geminiR); + mem.denominators[2] = mem.denominators[0]; + mem.denominators[3] = mem.denominators[0]; + + mem.batchingChallenge = mem.batchingChallenge * tp.shplonkNu * tp.shplonkNu; + for (uint256 i = 0; i < LIBRA_EVALUATIONS; i++) { + Fr scalingFactor = mem.denominators[i] * mem.batchingChallenge; + mem.batchingScalars[i] = scalingFactor.neg(); + mem.batchingChallenge = mem.batchingChallenge * tp.shplonkNu; + mem.constantTermAccumulator = mem.constantTermAccumulator + scalingFactor * proof.libraPolyEvals[i]; + } + scalars[boundary] = mem.batchingScalars[0]; + scalars[boundary + 1] = mem.batchingScalars[1] + mem.batchingScalars[2]; + scalars[boundary + 2] = mem.batchingScalars[3]; + + for (uint256 i = 0; i < LIBRA_COMMITMENTS; i++) { + commitments[boundary++] = proof.libraCommitments[i]; + } + + commitments[boundary] = Honk.G1Point({x: 1, y: 2}); + scalars[boundary++] = mem.constantTermAccumulator; + + if (!checkEvalsConsistency(proof.libraPolyEvals, tp.geminiR, tp.sumCheckUChallenges, proof.libraEvaluation)) { + revert ConsistencyCheckFailed(); + } + + Honk.G1Point memory quotient_commitment = proof.kzgQuotient; + + commitments[boundary] = quotient_commitment; + scalars[boundary] = tp.shplonkZ; // evaluation challenge + + PairingInputs memory pair; + pair.P_0 = batchMul(commitments, scalars); + pair.P_1 = negateInplace(quotient_commitment); + + // Aggregate pairing points + Fr recursionSeparator = generateRecursionSeparator(proof.pairingPointObject, pair.P_0, pair.P_1); + (Honk.G1Point memory P_0_other, Honk.G1Point memory P_1_other) = + convertPairingPointsToG1(proof.pairingPointObject); + + // Validate the points from the proof are on the curve + validateOnCurve(P_0_other); + validateOnCurve(P_1_other); + + // accumulate with aggregate points in proof + pair.P_0 = mulWithSeperator(pair.P_0, P_0_other, recursionSeparator); + pair.P_1 = mulWithSeperator(pair.P_1, P_1_other, recursionSeparator); + + return pairing(pair.P_0, pair.P_1); + } + + struct SmallSubgroupIpaIntermediates { + Fr[SUBGROUP_SIZE] challengePolyLagrange; + Fr challengePolyEval; + Fr lagrangeFirst; + Fr lagrangeLast; + Fr rootPower; + Fr[SUBGROUP_SIZE] denominators; // this has to disappear + Fr diff; + } + + function checkEvalsConsistency( + Fr[LIBRA_EVALUATIONS] memory libraPolyEvals, + Fr geminiR, + Fr[CONST_PROOF_SIZE_LOG_N] memory uChallenges, + Fr libraEval + ) internal view returns (bool check) { + Fr one = Fr.wrap(1); + Fr vanishingPolyEval = geminiR.pow(SUBGROUP_SIZE) - one; + if (vanishingPolyEval == Fr.wrap(0)) { + revert GeminiChallengeInSubgroup(); + } + + SmallSubgroupIpaIntermediates memory mem; + mem.challengePolyLagrange[0] = one; + for (uint256 round = 0; round < $LOG_N; round++) { + uint256 currIdx = 1 + LIBRA_UNIVARIATES_LENGTH * round; + mem.challengePolyLagrange[currIdx] = one; + for (uint256 idx = currIdx + 1; idx < currIdx + LIBRA_UNIVARIATES_LENGTH; idx++) { + mem.challengePolyLagrange[idx] = mem.challengePolyLagrange[idx - 1] * uChallenges[round]; + } + } + + mem.rootPower = one; + mem.challengePolyEval = Fr.wrap(0); + for (uint256 idx = 0; idx < SUBGROUP_SIZE; idx++) { + mem.denominators[idx] = mem.rootPower * geminiR - one; + mem.denominators[idx] = mem.denominators[idx].invert(); + mem.challengePolyEval = mem.challengePolyEval + mem.challengePolyLagrange[idx] * mem.denominators[idx]; + mem.rootPower = mem.rootPower * SUBGROUP_GENERATOR_INVERSE; + } + + Fr numerator = vanishingPolyEval * Fr.wrap(SUBGROUP_SIZE).invert(); + mem.challengePolyEval = mem.challengePolyEval * numerator; + mem.lagrangeFirst = mem.denominators[0] * numerator; + mem.lagrangeLast = mem.denominators[SUBGROUP_SIZE - 1] * numerator; + + mem.diff = mem.lagrangeFirst * libraPolyEvals[2]; + + mem.diff = mem.diff + + (geminiR - SUBGROUP_GENERATOR_INVERSE) + * (libraPolyEvals[1] - libraPolyEvals[2] - libraPolyEvals[0] * mem.challengePolyEval); + mem.diff = mem.diff + mem.lagrangeLast * (libraPolyEvals[2] - libraEval) - vanishingPolyEval * libraPolyEvals[3]; + + check = mem.diff == Fr.wrap(0); + } + + // This implementation is the same as above with different constants + function batchMul(Honk.G1Point[] memory base, Fr[] memory scalars) + internal + view + returns (Honk.G1Point memory result) + { + uint256 limit = NUMBER_UNSHIFTED + $LOG_N + LIBRA_COMMITMENTS + 3; - // This implementation is the same as above with different constants - function batchMul(Honk.G1Point[] memory base, Fr[] memory scalars) internal view returns (Honk.G1Point memory result) { - uint256 limit = NUMBER_UNSHIFTED + $LOG_N + LIBRA_COMMITMENTS + 3; + // Validate all points are on the curve + for (uint256 i = 0; i < limit; ++i) { + validateOnCurve(base[i]); + } - // Validate all points are on the curve - for (uint256 i = 0; i < limit; ++i) { - validateOnCurve(base[i]); - } + bool success = true; + assembly { + let free := mload(0x40) - bool success = true; - assembly { - let free := mload(0x40) + let count := 0x01 + for {} lt(count, add(limit, 1)) { count := add(count, 1) } { + // Get loop offsets + let base_base := add(base, mul(count, 0x20)) + let scalar_base := add(scalars, mul(count, 0x20)) - let count := 0x01 - for {} lt(count, add(limit, 1)) { - count := add(count, 1) - } { - // Get loop offsets - let base_base := add(base, mul(count, 0x20)) - let scalar_base := add(scalars, mul(count, 0x20)) + mstore(add(free, 0x40), mload(mload(base_base))) + mstore(add(free, 0x60), mload(add(0x20, mload(base_base)))) + // Add scalar + mstore(add(free, 0x80), mload(scalar_base)) - mstore(add(free, 0x40), mload(mload(base_base))) - mstore(add(free, 0x60), mload(add(0x20, mload(base_base)))) - // Add scalar - mstore(add(free, 0x80), mload(scalar_base)) + success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40)) + // accumulator = accumulator + accumulator_2 + success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40)) + } - success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40)) - // accumulator = accumulator + accumulator_2 - success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40)) - } + // Return the result + mstore(result, mload(free)) + mstore(add(result, 0x20), mload(add(free, 0x20))) + } - // Return the result - mstore(result, mload(free)) - mstore(add(result, 0x20), mload(add(free, 0x20))) + require(success, ShpleminiFailed()); } - - require(success, ShpleminiFailed()); - } } contract HonkVerifier is BaseZKHonkVerifier(N, LOG_N, VK_HASH, NUMBER_OF_PUBLIC_INPUTS) { - function loadVerificationKey() internal pure override returns (Honk.VerificationKey memory) { - return HonkVerificationKey.loadVerificationKey(); - } + function loadVerificationKey() internal pure override returns (Honk.VerificationKey memory) { + return HonkVerificationKey.loadVerificationKey(); + } } diff --git a/examples/CRISP/server/Cargo.toml b/examples/CRISP/server/Cargo.toml index 1835adae35..6a467101e7 100644 --- a/examples/CRISP/server/Cargo.toml +++ b/examples/CRISP/server/Cargo.toml @@ -46,7 +46,6 @@ e3-compute-provider.workspace = true e3-sdk = { workspace = true, default-features = false, features=["full"] } e3-fhe-params = { workspace = true } evm-helpers = { path = "../crates/evm_helpers" } -crisp-constants.workspace = true crisp-utils.workspace = true # CLI and user interaction diff --git a/examples/CRISP/server/src/cli/commands.rs b/examples/CRISP/server/src/cli/commands.rs index 2ee0236e3d..5e20a00d78 100644 --- a/examples/CRISP/server/src/cli/commands.rs +++ b/examples/CRISP/server/src/cli/commands.rs @@ -4,8 +4,8 @@ // without even the implied warranty of MERCHANTABILITY // or FITNESS FOR A PARTICULAR PURPOSE. -use crisp_constants::get_default_paramset; use dialoguer::{theme::ColorfulTheme, FuzzySelect, Input}; +use e3_fhe_params::default_param_set; use log::info; use reqwest::Client; use serde::{Deserialize, Serialize}; @@ -317,7 +317,7 @@ pub async fn decrypt_and_publish_result( } fn generate_bfv_parameters() -> Arc { - build_bfv_params_from_set_arc(get_default_paramset()) + build_bfv_params_from_set_arc(default_param_set()) } fn generate_keys(params: &Arc) -> (SecretKey, PublicKey) { diff --git a/examples/CRISP/server/src/server/routes/rounds.rs b/examples/CRISP/server/src/server/routes/rounds.rs index 06fceac3da..91ed6f13b5 100644 --- a/examples/CRISP/server/src/server/routes/rounds.rs +++ b/examples/CRISP/server/src/server/routes/rounds.rs @@ -15,7 +15,7 @@ use actix_web::{web, HttpResponse, Responder}; use alloy::primitives::{Address, Bytes, U256}; use alloy::sol_types::SolValue; use chrono::Utc; -use crisp_constants::get_default_paramset; +use e3_fhe_params::default_param_set; use e3_fhe_params::{build_bfv_params_from_set_arc, encode_bfv_params}; use e3_sdk::evm_helpers::contracts::{EnclaveContract, EnclaveRead, EnclaveWrite}; use log::{error, info}; @@ -199,7 +199,7 @@ pub async fn initialize_crisp_round( } info!("Generating parameters..."); - let params = encode_bfv_params(&build_bfv_params_from_set_arc(get_default_paramset())); + let params = encode_bfv_params(&build_bfv_params_from_set_arc(default_param_set())); let token_address: Address = token_address.parse()?; let balance_threshold = U256::from_str_radix(&balance_threshold, 10)?; diff --git a/packages/enclave-react/src/useEnclaveSDK.ts b/packages/enclave-react/src/useEnclaveSDK.ts index 9c1ae0d78d..52be055c44 100644 --- a/packages/enclave-react/src/useEnclaveSDK.ts +++ b/packages/enclave-react/src/useEnclaveSDK.ts @@ -68,7 +68,7 @@ export interface UseEnclaveSDKReturn { * enclave: '0x...', * ciphernodeRegistry: '0x...' * }, - * thresholdBfvParamsPresetName: 'INSECURE_THRESHOLD_BFV_512', + * thresholdBfvParamsPresetName: 'INSECURE_THRESHOLD_512', * }); * * // Use the SDK... diff --git a/packages/enclave-sdk/src/types.ts b/packages/enclave-sdk/src/types.ts index 71f0bb497b..bd0567875b 100644 --- a/packages/enclave-sdk/src/types.ts +++ b/packages/enclave-sdk/src/types.ts @@ -283,11 +283,11 @@ export interface BfvParams { error1Variance: string | undefined } -export type ThresholdBfvParamsPresetName = 'INSECURE_THRESHOLD_BFV_512' | 'SECURE_THRESHOLD_BFV_8192' +export type ThresholdBfvParamsPresetName = 'INSECURE_THRESHOLD_512' | 'SECURE_THRESHOLD_8192' export const ThresholdBfvParamsPresetNames = [ - 'INSECURE_THRESHOLD_BFV_512', - 'SECURE_THRESHOLD_BFV_8192', + 'INSECURE_THRESHOLD_512', + 'SECURE_THRESHOLD_8192', ] as const satisfies ReadonlyArray /** diff --git a/packages/enclave-sdk/tests/sdk.test.ts b/packages/enclave-sdk/tests/sdk.test.ts index 82aa570603..000c37ea1b 100644 --- a/packages/enclave-sdk/tests/sdk.test.ts +++ b/packages/enclave-sdk/tests/sdk.test.ts @@ -25,7 +25,7 @@ describe('encryptNumber', () => { }, rpcUrl: '', privateKey: '0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80', - thresholdBfvParamsPresetName: 'INSECURE_THRESHOLD_BFV_512', + thresholdBfvParamsPresetName: 'INSECURE_THRESHOLD_512', }) it('should encrypt a number without crashing in a node environent', async () => { diff --git a/templates/default/Cargo.lock b/templates/default/Cargo.lock index 099a6322ab..97e041d1e0 100644 --- a/templates/default/Cargo.lock +++ b/templates/default/Cargo.lock @@ -65,7 +65,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e01ed3140b2f8d422c68afa1ed2e85d996ea619c988ac834d255db32138655cb" dependencies = [ "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -182,7 +182,7 @@ dependencies = [ "actix-router", "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -299,9 +299,9 @@ dependencies = [ [[package]] name = "alloy-rlp" -version = "0.3.12" +version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f70d83b765fdc080dbcd4f4db70d8d23fe4761f2f02ebfa9146b833900634b4" +checksum = "e93e50f64a77ad9c5470bf2ad0ca02f228da70c792a8f06634801e202579f35e" dependencies = [ "arrayvec", "bytes", @@ -309,23 +309,23 @@ dependencies = [ [[package]] name = "alloy-sol-macro" -version = "1.4.1" +version = "1.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3ce480400051b5217f19d6e9a82d9010cdde20f1ae9c00d53591e4a1afbb312" +checksum = "f5fa1ca7e617c634d2bd9fa71f9ec8e47c07106e248b9fcbd3eaddc13cabd625" dependencies = [ "alloy-sol-macro-expander", "alloy-sol-macro-input", "proc-macro-error2", "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] name = "alloy-sol-macro-expander" -version = "1.4.1" +version = "1.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6d792e205ed3b72f795a8044c52877d2e6b6e9b1d13f431478121d8d4eaa9028" +checksum = "27c00c0c3a75150a9dc7c8c679ca21853a137888b4e1c5569f92d7e2b15b5102" dependencies = [ "alloy-sol-macro-input", "const-hex", @@ -334,16 +334,16 @@ dependencies = [ "proc-macro-error2", "proc-macro2", "quote", - "syn 2.0.111", + "sha3", + "syn 2.0.114", "syn-solidity", - "tiny-keccak", ] [[package]] name = "alloy-sol-macro-input" -version = "1.4.1" +version = "1.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0bd1247a8f90b465ef3f1207627547ec16940c35597875cdc09c49d58b19693c" +checksum = "297db260eb4d67c105f68d6ba11b8874eec681caec5505eab8fbebee97f790bc" dependencies = [ "const-hex", "dunce", @@ -351,15 +351,15 @@ dependencies = [ "macro-string", "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", "syn-solidity", ] [[package]] name = "alloy-sol-type-parser" -version = "1.4.1" +version = "1.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "954d1b2533b9b2c7959652df3076954ecb1122a28cc740aa84e7b0a49f6ac0a9" +checksum = "94b91b13181d3bcd23680fd29d7bc861d1f33fbe90fdd0af67162434aeba902d" dependencies = [ "serde", "winnow", @@ -587,7 +587,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "62945a2f7e6de02a31fe400aa489f0e0f5b2502e69f95f853adb82a96c7a6b60" dependencies = [ "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -625,7 +625,7 @@ dependencies = [ "num-traits", "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -710,7 +710,7 @@ checksum = "213888f660fddcca0d257e88e54ac05bca01885f258ccdf695bafd77031bb69d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -769,7 +769,7 @@ checksum = "ffdcb70bdbc4d478427380519163274ac86e52916e10f0a8889adf0f96d3fee7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -807,9 +807,9 @@ checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" [[package]] name = "base64ct" -version = "1.8.1" +version = "1.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0e050f626429857a27ddccb31e0aca21356bfa709c04041aefddac081a8f068a" +checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06" [[package]] name = "bincode" @@ -855,15 +855,16 @@ dependencies = [ [[package]] name = "blake3" -version = "1.8.2" +version = "1.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3888aaa89e4b2a40fca9848e400f6a658a5a3978de7be858e209cafa8be9a4a0" +checksum = "2468ef7d57b3fb7e16b576e8377cdbde2320c60e1491e961d11da40fc4f02a2d" dependencies = [ "arrayref", "arrayvec", "cc", "cfg-if", "constant_time_eq", + "cpufeatures", ] [[package]] @@ -898,9 +899,9 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.19.0" +version = "3.19.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46c5e41b57b8bba42a04676d81cb89e9ee8e859a1a66f80a5a72e1cb76b34d43" +checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510" [[package]] name = "byte-slice-cast" @@ -934,9 +935,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.49" +version = "1.2.55" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90583009037521a116abf44494efecd645ba48b6622457080f080b85544e2215" +checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29" dependencies = [ "find-msvc-tools", "jobserver", @@ -952,9 +953,9 @@ checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801" [[package]] name = "chrono" -version = "0.4.42" +version = "0.4.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "145052bdd345b87320e369255277e3fb5152762ad123a901ef5c262dd38fe8d2" +checksum = "fac4744fb15ae8337dc853fee7fb3f4e48c0fbaa23d0afe49c447b4fab126118" dependencies = [ "iana-time-zone", "js-sys", @@ -995,7 +996,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -1050,9 +1051,9 @@ dependencies = [ [[package]] name = "constant_time_eq" -version = "0.3.1" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6" +checksum = "3d52eff69cd5e647efe296129160853a42795992097e8af39800e1060caeea9b" [[package]] name = "convert_case" @@ -1193,24 +1194,24 @@ dependencies = [ [[package]] name = "derive_more" -version = "2.1.0" +version = "2.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "10b768e943bed7bf2cab53df09f4bc34bfd217cdb57d971e769874c9a6710618" +checksum = "d751e9e49156b02b44f9c1815bcb94b984cdcc4396ecc32521c739452808b134" dependencies = [ "derive_more-impl", ] [[package]] name = "derive_more-impl" -version = "2.1.0" +version = "2.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6d286bfdaf75e988b4a78e013ecd79c581e06399ab53fbacd2d916c2f904f30b" +checksum = "799a97264921d8623a957f6c3b9011f3b5492f557bbb7a5a19b7fa6d06ba8dcb" dependencies = [ "convert_case", "proc-macro2", "quote", "rustc_version 0.4.1", - "syn 2.0.111", + "syn 2.0.114", "unicode-xid", ] @@ -1243,7 +1244,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -1325,6 +1326,17 @@ dependencies = [ "thiserror", ] +[[package]] +name = "e3-polynomial" +version = "0.1.8" +source = "git+https://github.com/gnosisguild/enclave?branch=main#ebf6f386dcefd6ab9c5060d4b8932ed1fa1132b9" +dependencies = [ + "num-bigint", + "num-traits", + "serde", + "thiserror", +] + [[package]] name = "e3-program-server" version = "0.1.8" @@ -1351,6 +1363,18 @@ dependencies = [ "taceo-poseidon2", ] +[[package]] +name = "e3-safe" +version = "0.1.8" +source = "git+https://github.com/gnosisguild/enclave#ebf6f386dcefd6ab9c5060d4b8932ed1fa1132b9" +dependencies = [ + "ark-bn254 0.5.0", + "ark-ff 0.5.0", + "hex", + "sha3", + "taceo-poseidon2", +] + [[package]] name = "e3-support-scripts-dev" version = "0.1.0" @@ -1380,8 +1404,8 @@ version = "0.1.8" dependencies = [ "ark-bn254 0.5.0", "ark-ff 0.5.0", - "e3-polynomial", - "e3-safe", + "e3-polynomial 0.1.8", + "e3-safe 0.1.8", "fhe", "num-bigint", "num-traits", @@ -1411,7 +1435,7 @@ dependencies = [ "enum-ordinalize", "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -1465,7 +1489,7 @@ checksum = "8ca9601fb2d62598ee17836250842873a413586e5d7ed88b356e38ddbb0ec631" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -1601,9 +1625,9 @@ dependencies = [ [[package]] name = "find-msvc-tools" -version = "0.1.5" +version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a3076410a55c90011c298b04d0cfa770b00fa04e1e3c97d3f6c9de105a03844" +checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" [[package]] name = "fixed-hash" @@ -1625,9 +1649,9 @@ checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" [[package]] name = "flate2" -version = "1.1.5" +version = "1.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bfe33edd8e85a12a67454e37f8c75e730830d83e313556ab9ebf9ee7fbeb3bfb" +checksum = "b375d6465b98090a5f25b1c7703f3859783755aa9a80433b36e0379a3ec2f369" dependencies = [ "crc32fast", "miniz_oxide", @@ -1712,6 +1736,7 @@ dependencies = [ "futures-task", "pin-project-lite", "pin-utils", + "slab", ] [[package]] @@ -1727,9 +1752,9 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.16" +version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "335ff9f135e4384c8150d6f27c6daed433577f86b4750418338c01a1a2528592" +checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0" dependencies = [ "cfg-if", "libc", @@ -1786,9 +1811,9 @@ dependencies = [ [[package]] name = "h2" -version = "0.4.12" +version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3c0b69cfcb4e1b9f1bf2f53f95f766e4661169728ec61cd3fe5a0166f2d1386" +checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54" dependencies = [ "atomic-waker", "bytes", @@ -1917,7 +1942,7 @@ dependencies = [ "bytes", "futures-channel", "futures-core", - "h2 0.4.12", + "h2 0.4.13", "http 1.4.0", "http-body", "httparse", @@ -1963,14 +1988,13 @@ dependencies = [ [[package]] name = "hyper-util" -version = "0.1.19" +version = "0.1.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "727805d60e7938b76b826a6ef209eb70eaa1812794f9424d4a4e2d740662df5f" +checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0" dependencies = [ "base64", "bytes", "futures-channel", - "futures-core", "futures-util", "http 1.4.0", "http-body", @@ -1979,7 +2003,7 @@ dependencies = [ "libc", "percent-encoding", "pin-project-lite", - "socket2 0.6.1", + "socket2 0.6.2", "system-configuration", "tokio", "tower-service", @@ -1989,9 +2013,9 @@ dependencies = [ [[package]] name = "iana-time-zone" -version = "0.1.64" +version = "0.1.65" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33e57f83510bb73707521ebaffa789ec8caf86f9657cad665b092b581d40e9fb" +checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470" dependencies = [ "android_system_properties", "core-foundation-sys", @@ -2136,14 +2160,14 @@ checksum = "a0eb5a3343abf848c0984fe4604b2b105da9539376e24fc0a3b0007411ae4fd9" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] name = "indexmap" -version = "2.12.1" +version = "2.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ad4bb2b565bca0645f4d68c5c9af97fba094e9791da685bf83cb5f3ce74acf2" +checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017" dependencies = [ "equivalent", "hashbrown 0.16.1", @@ -2170,9 +2194,9 @@ checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130" [[package]] name = "iri-string" -version = "0.7.9" +version = "0.7.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4f867b9d1d896b67beb18518eda36fdb77a32ea590de864f1325b294a6d14397" +checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a" dependencies = [ "memchr", "serde", @@ -2222,9 +2246,9 @@ dependencies = [ [[package]] name = "itoa" -version = "1.0.15" +version = "1.0.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c" +checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2" [[package]] name = "jobserver" @@ -2238,9 +2262,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.83" +version = "0.3.85" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "464a3709c7f55f1f721e5389aa6ea4e3bc6aba669353300af094b29ffbdde1d8" +checksum = "8c942ebf8e95485ca0d52d97da7c5a2c387d0e7f0ba4c35e93bfcaee045955b3" dependencies = [ "once_cell", "wasm-bindgen", @@ -2270,9 +2294,9 @@ dependencies = [ [[package]] name = "keccak-asm" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "505d1856a39b200489082f90d897c3f07c455563880bc5952e38eabf731c83b6" +checksum = "b646a74e746cd25045aa0fd42f4f7f78aa6d119380182c7e63a5593c4ab8df6f" dependencies = [ "digest 0.10.7", "sha3-asm", @@ -2304,15 +2328,15 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.178" +version = "0.2.180" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "37c93d8daa9d8a012fd8ab92f088405fb202ea0b6ab73ee2482ae66af4f42091" +checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc" [[package]] name = "libm" -version = "0.2.15" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9fbbcab51052fe104eb5e5d351cf728d30a5be1fe14d9be8a3b097481fb97de" +checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981" [[package]] name = "light-poseidon" @@ -2378,7 +2402,7 @@ checksum = "1b27834086c65ec3f9387b096d66e99f221cf081c2b738042aa252bcd41204e3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -2603,7 +2627,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -2649,7 +2673,7 @@ dependencies = [ "proc-macro-crate", "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -2689,9 +2713,9 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220" [[package]] name = "pest" -version = "2.8.4" +version = "2.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cbcfd20a6d4eeba40179f05735784ad32bdaef05ce8e8af05f180d45bb3e7e22" +checksum = "2c9eb05c21a464ea704b53158d358a31e6425db2f63a1a7312268b05fe2b75f7" dependencies = [ "memchr", "ucd-trie", @@ -2735,17 +2759,6 @@ version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c" -[[package]] -name = "polynomial" -version = "0.1.7" -source = "git+https://github.com/gnosisguild/enclave?branch=main#54db685297b55d517aa86a6005e77e9a0354af02" -dependencies = [ - "num-bigint", - "num-traits", - "serde", - "thiserror", -] - [[package]] name = "potential_utf" version = "0.1.4" @@ -2777,7 +2790,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b" dependencies = [ "proc-macro2", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -2808,7 +2821,7 @@ version = "3.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "219cb19e96be00ab2e37d6e299658a0cfa83e52429179969b0f0121b4ac46983" dependencies = [ - "toml_edit 0.23.9", + "toml_edit 0.23.10+spec-1.0.0", ] [[package]] @@ -2830,14 +2843,14 @@ dependencies = [ "proc-macro-error-attr2", "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] name = "proc-macro2" -version = "1.0.103" +version = "1.0.106" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5ee95bc4ef87b8d5ba32e8b7714ccc834865276eab0aed5c9958d00ec45f49e8" +checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934" dependencies = [ "unicode-ident", ] @@ -2888,7 +2901,7 @@ dependencies = [ "prost", "prost-types", "regex", - "syn 2.0.111", + "syn 2.0.114", "tempfile", ] @@ -2902,7 +2915,7 @@ dependencies = [ "itertools 0.12.1", "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -2922,9 +2935,9 @@ checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0" [[package]] name = "quote" -version = "1.0.42" +version = "1.0.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f" +checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4" dependencies = [ "proc-macro2", ] @@ -2959,7 +2972,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" dependencies = [ "rand_chacha 0.9.0", - "rand_core 0.9.3", + "rand_core 0.9.5", "serde", ] @@ -2980,7 +2993,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb" dependencies = [ "ppv-lite86", - "rand_core 0.9.3", + "rand_core 0.9.5", ] [[package]] @@ -2989,14 +3002,14 @@ version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" dependencies = [ - "getrandom 0.2.16", + "getrandom 0.2.17", ] [[package]] name = "rand_core" -version = "0.9.3" +version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38" +checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c" dependencies = [ "getrandom 0.3.4", "serde", @@ -3018,7 +3031,7 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "513962919efc330f829edb2535844d1b912b0fbe2ca165d613e4e8788bb05a5a" dependencies = [ - "rand_core 0.9.3", + "rand_core 0.9.5", ] [[package]] @@ -3101,7 +3114,7 @@ dependencies = [ "bytes", "encoding_rs", "futures-core", - "h2 0.4.12", + "h2 0.4.13", "http 1.4.0", "http-body", "http-body-util", @@ -3149,7 +3162,7 @@ checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7" dependencies = [ "cc", "cfg-if", - "getrandom 0.2.16", + "getrandom 0.2.17", "libc", "untrusted", "windows-sys 0.52.0", @@ -3167,9 +3180,9 @@ dependencies = [ [[package]] name = "ruint" -version = "1.17.0" +version = "1.17.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a68df0380e5c9d20ce49534f292a36a7514ae21350726efe1865bdb1fa91d278" +checksum = "c141e807189ad38a07276942c6623032d3753c8859c146104ac2e4d68865945a" dependencies = [ "alloy-rlp", "ark-ff 0.3.0", @@ -3201,9 +3214,9 @@ checksum = "48fd7bd8a6377e15ad9d42a8ec25371b94ddc67abe7c8b9127bec79bebaaae18" [[package]] name = "rustc-demangle" -version = "0.1.26" +version = "0.1.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "56f7d92ca342cea22a06f2121d944b4fd82af56988c270852495420f961d4ace" +checksum = "b50b8869d9fc858ce7266cce0194bd74df58b9d0e3f6df3a9fc8eb470d95c09d" [[package]] name = "rustc-hash" @@ -3237,9 +3250,9 @@ dependencies = [ [[package]] name = "rustix" -version = "1.1.2" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd15f8a2c5551a84d56efdc1cd049089e409ac19a3072d5037a17fd70719ff3e" +checksum = "146c9e247ccc180c1f61615433868c99f3de3ae256a30a43b49f67c2d9171f34" dependencies = [ "bitflags", "errno", @@ -3250,9 +3263,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.35" +version = "0.23.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "533f54bc6a7d4f647e46ad909549eda97bf5afc1585190ef692b4286b198bd8f" +checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b" dependencies = [ "once_cell", "rustls-pki-types", @@ -3263,18 +3276,18 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.13.1" +version = "1.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "708c0f9d5f54ba0272468c1d306a52c495b31fa155e91bc25371e6df7996908c" +checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd" dependencies = [ "zeroize", ] [[package]] name = "rustls-webpki" -version = "0.103.8" +version = "0.103.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2ffdfa2f5286e2247234e03f680868ac2815974dc39e00ea15adc445d0aafe52" +checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53" dependencies = [ "ring", "rustls-pki-types", @@ -3301,21 +3314,9 @@ dependencies = [ [[package]] name = "ryu" -version = "1.0.20" +version = "1.0.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" - -[[package]] -name = "safe" -version = "0.1.7" -source = "git+https://github.com/gnosisguild/enclave#54db685297b55d517aa86a6005e77e9a0354af02" -dependencies = [ - "ark-bn254 0.5.0", - "ark-ff 0.5.0", - "hex", - "sha3", - "taceo-poseidon2", -] +checksum = "a50f4cf475b65d88e057964e0e9bb1f0aa9bbb2036dc65c64596b42932536984" [[package]] name = "schannel" @@ -3420,7 +3421,7 @@ checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -3490,9 +3491,9 @@ dependencies = [ [[package]] name = "sha3-asm" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c28efc5e327c837aa837c59eae585fc250715ef939ac32881bcc11677cd02d46" +checksum = "b31139435f327c93c6038ed350ae4588e2c70a13d50599509fee6349967ba35a" dependencies = [ "cc", "cfg-if", @@ -3506,10 +3507,11 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "signal-hook-registry" -version = "1.4.7" +version = "1.4.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7664a098b8e616bdfcc2dc0e9ac44eb231eedf41db4e9fe95d8d32ec728dedad" +checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b" dependencies = [ + "errno", "libc", ] @@ -3531,9 +3533,9 @@ checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2" [[package]] name = "slab" -version = "0.4.11" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589" +checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5" [[package]] name = "smallvec" @@ -3553,9 +3555,9 @@ dependencies = [ [[package]] name = "socket2" -version = "0.6.1" +version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17129e116933cf371d018bb80ae557e889637989d8638274fb25622827b03881" +checksum = "86f4aa3ad99f2088c990dfa82d367e19cb29268ed67c574d10d0a4bfe71f07e0" dependencies = [ "libc", "windows-sys 0.60.2", @@ -3614,9 +3616,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.111" +version = "2.0.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "390cc9a294ab71bdb1aa2e99d13be9c753cd2d7bd6560c77118597410c4d2e87" +checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a" dependencies = [ "proc-macro2", "quote", @@ -3625,14 +3627,14 @@ dependencies = [ [[package]] name = "syn-solidity" -version = "1.4.1" +version = "1.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ff790eb176cc81bb8936aed0f7b9f14fc4670069a2d371b3e3b0ecce908b2cb3" +checksum = "2379beea9476b89d0237078be761cf8e012d92d5ae4ae0c9a329f974838870fc" dependencies = [ "paste", "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -3652,14 +3654,14 @@ checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] name = "system-configuration" -version = "0.6.1" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b" +checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b" dependencies = [ "bitflags", "core-foundation", @@ -3678,9 +3680,9 @@ dependencies = [ [[package]] name = "taceo-poseidon2" -version = "0.2.0" +version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fbf106fb8682ee4e057872a18f431828bd467c28d2ead469e4c84dbf6ce5ec6" +checksum = "ac59d3df4c827b3496bff929aebd6440997a5c2e946f46ff4fdd76f318447581" dependencies = [ "ark-bn254 0.5.0", "ark-ff 0.5.0", @@ -3697,9 +3699,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" [[package]] name = "tempfile" -version = "3.23.0" +version = "3.24.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d31c77bdf42a745371d260a26ca7163f1e0924b64afa0b688e61b5a9fa02f16" +checksum = "655da9c7eb6305c55742045d5a8d2037996d61d8de95806335c7c86ce0f82e9c" dependencies = [ "fastrand", "getrandom 0.3.4", @@ -3725,35 +3727,35 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] name = "time" -version = "0.3.44" +version = "0.3.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91e7d9e3bb61134e77bde20dd4825b97c010155709965fedf0f49bb138e52a9d" +checksum = "f9e442fc33d7fdb45aa9bfeb312c095964abdf596f7567261062b2a7107aaabd" dependencies = [ "deranged", "itoa", "num-conv", "powerfmt", - "serde", + "serde_core", "time-core", "time-macros", ] [[package]] name = "time-core" -version = "0.1.6" +version = "0.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "40868e7c1d2f0b8d73e4a8c7f0ff63af4f6d19be117e90bd73eb1d62cf831c6b" +checksum = "8b36ee98fd31ec7426d599183e8fe26932a8dc1fb76ddb6214d05493377d34ca" [[package]] name = "time-macros" -version = "0.2.24" +version = "0.2.25" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30cfb0125f12d9c277f35663a0a33f8c30190f4e4574868a330595412d34ebf3" +checksum = "71e552d1249bf61ac2a52db88179fd0673def1e1ad8243a00d9ec9ed71fee3dd" dependencies = [ "num-conv", "time-core", @@ -3806,7 +3808,7 @@ checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -3831,9 +3833,9 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.7.17" +version = "0.7.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2efa149fe76073d6e8fd97ef4f4eca7b67f599660115591483572e406e165594" +checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098" dependencies = [ "bytes", "futures-core", @@ -3865,9 +3867,9 @@ dependencies = [ [[package]] name = "toml_datetime" -version = "0.7.3" +version = "0.7.5+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f2cdb639ebbc97961c51720f858597f7f24c4fc295327923af55b74c3c724533" +checksum = "92e1cfed4a3038bc5a127e35a2d360f145e1f4b971b551a2ba5fd7aedf7e1347" dependencies = [ "serde_core", ] @@ -3888,21 +3890,21 @@ dependencies = [ [[package]] name = "toml_edit" -version = "0.23.9" +version = "0.23.10+spec-1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d7cbc3b4b49633d57a0509303158ca50de80ae32c265093b24c414705807832" +checksum = "84c8b9f757e028cee9fa244aea147aab2a9ec09d5325a9b01e0a49730c2b5269" dependencies = [ "indexmap", - "toml_datetime 0.7.3", + "toml_datetime 0.7.5+spec-1.1.0", "toml_parser", "winnow", ] [[package]] name = "toml_parser" -version = "1.0.4" +version = "1.0.6+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0cbe268d35bdb4bb5a56a2de88d0ad0eb70af5384a99d648cd4b3d04039800e" +checksum = "a3198b4b0a8e11f09dd03e133c0280504d0801269e9afa46362ffde1cbeebf44" dependencies = [ "winnow", ] @@ -3915,9 +3917,9 @@ checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801" [[package]] name = "tower" -version = "0.5.2" +version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9" +checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4" dependencies = [ "futures-core", "futures-util", @@ -3960,9 +3962,9 @@ checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3" [[package]] name = "tracing" -version = "0.1.43" +version = "0.1.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d15d90a0b5c19378952d479dc858407149d7bb45a14de0142f6c534b16fc647" +checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100" dependencies = [ "log", "pin-project-lite", @@ -3978,14 +3980,14 @@ checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] name = "tracing-core" -version = "0.1.35" +version = "0.1.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a04e24fab5c89c6a36eb8558c9656f30d81de51dfa4d3b45f26b21d61fa0a6c" +checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a" dependencies = [ "once_cell", ] @@ -4052,9 +4054,9 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" [[package]] name = "url" -version = "2.5.7" +version = "2.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08bc136a29a3d1758e07a9cca267be308aeebf5cfd5a10f3f67ab2097683ef5b" +checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed" dependencies = [ "form_urlencoded", "idna", @@ -4127,9 +4129,9 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.106" +version = "0.2.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0d759f433fa64a2d763d1340820e46e111a7a5ab75f993d1852d70b03dbb80fd" +checksum = "64024a30ec1e37399cf85a7ffefebdb72205ca1c972291c51512360d90bd8566" dependencies = [ "cfg-if", "once_cell", @@ -4140,11 +4142,12 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.56" +version = "0.4.58" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "836d9622d604feee9e5de25ac10e3ea5f2d65b41eac0d9ce72eb5deae707ce7c" +checksum = "70a6e77fd0ae8029c9ea0063f87c46fde723e7d887703d74ad2616d792e51e6f" dependencies = [ "cfg-if", + "futures-util", "js-sys", "once_cell", "wasm-bindgen", @@ -4153,9 +4156,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.106" +version = "0.2.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "48cb0d2638f8baedbc542ed444afc0644a29166f1595371af4fecf8ce1e7eeb3" +checksum = "008b239d9c740232e71bd39e8ef6429d27097518b6b30bdf9086833bd5b6d608" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -4163,31 +4166,31 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.106" +version = "0.2.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cefb59d5cd5f92d9dcf80e4683949f15ca4b511f4ac0a6e14d4e1ac60c6ecd40" +checksum = "5256bae2d58f54820e6490f9839c49780dff84c65aeab9e772f15d5f0e913a55" dependencies = [ "bumpalo", "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-shared" -version = "0.2.106" +version = "0.2.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cbc538057e648b67f72a982e708d485b2efa771e1ac05fec311f9f63e5800db4" +checksum = "1f01b580c9ac74c8d8f0c0e4afb04eeef2acf145458e52c03845ee9cd23e3d12" dependencies = [ "unicode-ident", ] [[package]] name = "web-sys" -version = "0.3.83" +version = "0.3.85" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b32828d774c412041098d182a8b38b16ea816958e07cf40eec2bc080ae137ac" +checksum = "312e32e551d92129218ea9a2452120f4aabc03529ef03e4d0d82fb2780608598" dependencies = [ "js-sys", "wasm-bindgen", @@ -4214,7 +4217,7 @@ checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -4225,7 +4228,7 @@ checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -4468,28 +4471,28 @@ checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", "synstructure", ] [[package]] name = "zerocopy" -version = "0.8.31" +version = "0.8.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd74ec98b9250adb3ca554bdde269adf631549f51d8a8f8f0a10b50f1cb298c3" +checksum = "7456cf00f0685ad319c5b1693f291a650eaf345e941d082fc4e03df8a03996ac" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.8.31" +version = "0.8.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8a8d209fdf45cf5138cbb5a506f6b52522a25afccc534d1475dad8e31105c6a" +checksum = "1328722bbf2115db7e19d69ebcc15e795719e2d66b60827c6a69a117365e37a0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -4509,7 +4512,7 @@ checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", "synstructure", ] @@ -4524,13 +4527,13 @@ dependencies = [ [[package]] name = "zeroize_derive" -version = "1.4.2" +version = "1.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" +checksum = "85a5b4158499876c763cb03bc4e49185d3cccbabb15b33c627f7884f43db852e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -4563,7 +4566,7 @@ checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.111", + "syn 2.0.114", ] [[package]] @@ -4579,19 +4582,19 @@ dependencies = [ [[package]] name = "zkfhe-greco" version = "0.1.0" -source = "git+https://github.com/gnosisguild/zkfhe-generator#02131ceea13a9ff154a4d8cdd534261dacbfc724" +source = "git+https://github.com/gnosisguild/zkfhe-generator#f93990c3064b636dff0b6efead48a3a4341c90db" dependencies = [ "anyhow", "ark-bn254 0.5.0", "ark-ff 0.5.0", "blake3", + "e3-polynomial 0.1.8 (git+https://github.com/gnosisguild/enclave?branch=main)", "fhe", "fhe-math", "fhe-traits", "itertools 0.14.0", "num-bigint", "num-traits", - "polynomial", "rand 0.8.5", "rayon", "serde", @@ -4604,20 +4607,20 @@ dependencies = [ [[package]] name = "zkfhe-shared" version = "0.1.0" -source = "git+https://github.com/gnosisguild/zkfhe-generator#02131ceea13a9ff154a4d8cdd534261dacbfc724" +source = "git+https://github.com/gnosisguild/zkfhe-generator#f93990c3064b636dff0b6efead48a3a4341c90db" dependencies = [ "anyhow", "ark-bn254 0.5.0", "ark-ff 0.5.0", "chrono", + "e3-polynomial 0.1.8 (git+https://github.com/gnosisguild/enclave?branch=main)", + "e3-safe 0.1.8 (git+https://github.com/gnosisguild/enclave)", "fhe", "fhe-math", "fhe-traits", "num-bigint", "num-traits", - "polynomial", "rand 0.8.5", - "safe", "serde", "serde_json", "thiserror", diff --git a/templates/default/client/src/utils/env-config.ts b/templates/default/client/src/utils/env-config.ts index 311d5db428..08392c4400 100644 --- a/templates/default/client/src/utils/env-config.ts +++ b/templates/default/client/src/utils/env-config.ts @@ -10,7 +10,7 @@ export const REGISTRY_ADDRESS = import.meta.env.VITE_REGISTRY_ADDRESS export const BONDING_REGISTRY_ADDRESS = import.meta.env.VITE_BONDING_REGISTRY_ADDRESS export const FEE_TOKEN_ADDRESS = import.meta.env.VITE_FEE_TOKEN_ADDRESS export const RPC_URL = import.meta.env.VITE_RPC_URL || 'http://localhost:8545' -export const THRESHOLD_BFV_PARAMS_PRESET_NAME = import.meta.env.VITE_THRESHOLD_BFV_PARAMS_PRESET_NAME || 'INSECURE_THRESHOLD_BFV_512' +export const THRESHOLD_BFV_PARAMS_PRESET_NAME = import.meta.env.VITE_THRESHOLD_BFV_PARAMS_PRESET_NAME || 'INSECURE_THRESHOLD_512' const requiredEnvVars = { VITE_ENCLAVE_ADDRESS: ENCLAVE_ADDRESS, diff --git a/templates/default/program/src/lib.rs b/templates/default/program/src/lib.rs index b29231ae3a..857848e665 100644 --- a/templates/default/program/src/lib.rs +++ b/templates/default/program/src/lib.rs @@ -26,7 +26,8 @@ pub fn fhe_processor(fhe_inputs: &FHEInputs) -> Vec { mod tests { use super::*; use anyhow::Result; - use e3_fhe_params::{build_bfv_params_arc, encode_bfv_params, BfvParamSet, BfvPreset}; + use e3_fhe_params::DEFAULT_BFV_PRESET; + use e3_fhe_params::{build_bfv_params_arc, encode_bfv_params, BfvParamSet}; use fhe::bfv::{Encoding, Plaintext, PublicKey, SecretKey}; use fhe_traits::FheEncoder; use fhe_traits::FheEncrypter; @@ -37,7 +38,7 @@ mod tests { fn test() -> Result<()> { let mut rng = thread_rng(); - let params_set: BfvParamSet = BfvPreset::InsecureThresholdBfv512.into(); + let params_set: BfvParamSet = DEFAULT_BFV_PRESET.into(); let params = build_bfv_params_arc( params_set.degree, params_set.plaintext_modulus, diff --git a/templates/default/server/index.ts b/templates/default/server/index.ts index 46e879ca38..9a4719b6c8 100644 --- a/templates/default/server/index.ts +++ b/templates/default/server/index.ts @@ -40,7 +40,7 @@ async function createPrivateSDK() { feeToken: FEE_TOKEN_CONTRACT as `0x${string}`, }, chainId: CHAIN_ID, - thresholdBfvParamsPresetName: 'INSECURE_THRESHOLD_BFV_512', + thresholdBfvParamsPresetName: 'INSECURE_THRESHOLD_512', }) await sdk.initialize() diff --git a/templates/default/tests/integration.spec.ts b/templates/default/tests/integration.spec.ts index 822229c867..34874b41be 100644 --- a/templates/default/tests/integration.spec.ts +++ b/templates/default/tests/integration.spec.ts @@ -166,7 +166,7 @@ describe('Integration', () => { }, rpcUrl: 'ws://localhost:8545', privateKey: '0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80', - thresholdBfvParamsPresetName: 'INSECURE_THRESHOLD_BFV_512', + thresholdBfvParamsPresetName: 'INSECURE_THRESHOLD_512', }) it('should run an integration test', async () => {