github-mig/ZoKrates
github-mig/ZoKrates
1
0
Fork 0
mirror of synced 2025-09-23 12:18:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'develop' of github.com:JacobEberhardt/ZoKrates into develop

Browse source
This commit is contained in:
schaeff 2019-04-01 18:51:21 +02:00
commit b3c432ae2f
39 changed files with 706 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
zokrates_book/src/concepts/stdlib.md
View file

@ -4,6 +4,8 @@ ZoKrates comes with a number of reusable components which are defined at `./stdl
The following section highlights a subset of available imports:
### Hashes
#### sha256
```zokrates
@ -21,19 +23,37 @@ import "hashes/sha256/512bit.code"
A function that takes 2 `field[256]` arrays as inputs and returns their sha256 compression function as an array of 256 field elements.
The difference with `sha256` is that no padding is added at the end of the message, which makes it more efficient but also less compatible with Solidity.
There also is support for 2 round (1024bit input) and and 3 round (1536bit input) variants, using `hashes/1024bit.code` or `hashes/1536bit.code` respectively.
There also is support for 2-round (1024-bit input) and and 3-round (1536-bit input) variants, using `hashes/1024bit.code` or `hashes/1536bit.code` respectively.
#### sha256packed
```zokrates
import "hashes/sha256/512bitPacked.code"
import "hashes/sha256/512bitPacked.code"
```
A function that takes an array of 4 field elements as inputs, unpacks each of them to 128 bits (big endian), concatenates them and applies sha256. It then returns an array of 2 field elements, each representing 128 bits of the result.
### Direct imports
### Public-key Cryptography
Some components of the standard library cannot yet be efficiently represented in the ZoKrates DSL language. Those functions are injected at compile-time and are available by default.
#### Proof of private-key ownership
```zokrates
import "ecc/proofOfOwnership.code"
```
Verifies match of a given public/private keypair. Checks if the following equation holds for the provided keypair:
`pk = sk*G`
where `G` is the chosen base point of the subgroup and `*` denotes scalar multiplication in the subgroup.
#### Signature verification
```zokrates
import "signatures/verifyEddsa.code"
```
Verifies an EdDSA Signature. Checks the correctness of a given EdDSA Signature `(R,S)` for the provided public key `A` and message `(M0, M1)`. Check out this [python repository](https://github.com/Zokrates/pycrypto) for tooling to create valid signatures.
### Packing / Unpacking
#### pack128
@ -49,4 +69,13 @@ Packs 128 field elements as one.
import "utils/pack/unpack128"
```
Unpacks a field element to 128 field elements.
Unpacks a field element to 128 field elements.
#### unpack256
```zokrates
import "utils/pack/unpack256"
```
Unpacks a field element to 256 field elements.

12
zokrates_cli/examples/TestStdlib/utils/multiplexer/test2bit.code
View file

@ -1,12 +0,0 @@
import "utils/multiplexer/2bit.code" as multiplex
def main() -> (field[2]):
field bit = 1
field[2] output = [0, 0]
field[2] a = [0, 1]
field[2] b = [1, 0]
output == multiplex(bit, a, b)
return output

2
zokrates_stdlib/Cargo.toml
View file

@ -1,7 +1,7 @@
[package]
name = "zokrates_stdlib"
version = "0.1.0"
authors = ["schaeff <thibaut@schaeff.fr>"]
authors = ["Stefan Deml <stefandeml@gmail.com>", "schaeff <thibaut@schaeff.fr>"]
edition = "2018"
[features]

22
zokrates_stdlib/stdlib/ecc/babyjubjubParams.code Normal file
View file

@ -0,0 +1,22 @@
// Parameters are based on: https://github.com/HarryR/ethsnarks/tree/9cdf0117c2e42c691e75b98979cb29b099eca998/src/jubjub
// Note: parameters will be updated soon to be more compatible with zCash's implementation
def main() -> (field[10]):
// Order of the curve E
field JUBJUBE = 21888242871839275222246405745257275088614511777268538073601725287587578984328
field JUBJUBC = 8 // Cofactor
field JUBJUBA = 168700 // Coefficient A
field JUBJUBD = 168696 // Coefficient D
field MONTA = 168698 // int(2*(JUBJUB_A+JUBJUB_D)/(JUBJUB_A-JUBJUB_D))
field MONTB = 1 // int(4/(JUBJUB_A-JUBJUB_D))
// Point at infinity
field[2] infinity = [0, 1]
// Generator
field Gu = 16540640123574156134436876038791482806971768689494387082833631921987005038935
field Gv = 20819045374670962167435360035096875258406992893633759881276124905556507972311
// Index
// 0 1 2 3 4 5 6 7 8 10
return [JUBJUBA, JUBJUBD, infinity[0], infinity[1], Gu, Gv, JUBJUBE, JUBJUBC, MONTA, MONTB]

18
zokrates_stdlib/stdlib/ecc/edwardsAdd.code Normal file
View file

@ -0,0 +1,18 @@
import "ecc/babyjubjubParams.code" as context
// Add two points on a twisted Edwards curve
// Curve parameters are defined with the last argument
// https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Addition_on_twisted_Edwards_curves
def main(field[2] pt1, field[2] pt2, field[10] context) -> (field[2]):
field a = context[0]
field d = context[1]
field u1 = pt1[0]
field v1 = pt1[1]
field u2 = pt2[0]
field v2 = pt2[1]
field uOut = (u1*v2 + v1*u2) / (1 + d*u1*u2*v1*v2)
field vOut = (v1*v2 - a*u1*u2) / (1 - d*u1*u2*v1*v2)
return [uOut, vOut]

10
zokrates_stdlib/stdlib/ecc/edwardsNegate.code Normal file
View file

@ -0,0 +1,10 @@
import "ecc/babyjubjubParams.code" as context
// Negate a point on an Edwards curve
// Curve parameters are defined with the last argument
// Twisted Edwards Curves, BBJLP-2008, section 2 pg 2
def main(field[2] pt, field[10] context) -> (field[2]):
field u = pt[0]
field v = pt[1]
return [0-u, v]

16
zokrates_stdlib/stdlib/ecc/edwardsOnCurve.code Normal file
View file

@ -0,0 +1,16 @@
// Check if a point is on a twisted Edwards curve
// Curve parameters are defined with the last argument
// See appendix 3.3.1 of Zcash protocol specification:
// https://github.com/zcash/zips/blob/master/protocol/protocol.pdf
def main(field[2] pt, field[10] context) -> (field):
field a = context[0]
field d = context[1]
field uu = pt[0] * pt[0]
field vv = pt[1] * pt[1]
field uuvv = uu * vv
a * uu + vv == 1 + d * uuvv
return 1

25
zokrates_stdlib/stdlib/ecc/edwardsOrderCheck.code Normal file
View file

@ -0,0 +1,25 @@
import "ecc/edwardsAdd.code" as add
import "ecc/edwardsScalarMult.code" as multiply
import "utils/pack/unpack256.code" as unpack256
// Verifies that the point is not one of the low-order points.
// If any of the points is multiplied by the cofactor, the resulting point
// will be infinity.
// Returns 1 if the point is not one of the low-order points, 0 otherwise.
// Curve parameters are defined with the last argument
// https://github.com/zcash-hackworks/sapling-crypto/blob/master/src/jubjub/edwards.rs#L166
def main(field[2] pt, field[10] context) -> (field):
field cofactor = context[7]
// Co-factor currently hard-coded to 8 for efficiency reasons
// See discussion here: https://github.com/Zokrates/ZoKrates/pull/301#discussion_r267203391
// Generic code:
// field[256] cofactorExponent = unpack256(cofactor)
// field[2] ptExp = multiply(cofactorExponent, pt, context)
field[2] ptExp = add(pt, pt, context) // 2*pt
ptExp = add(ptExp, ptExp, context) // 4*pt
ptExp = add(ptExp, ptExp, context) // 8*pt
field out = if ptExp[0] == 0 && ptExp[1] == 1 then 0 else 1 fi
return out

25
zokrates_stdlib/stdlib/ecc/edwardsScalarMult.code Normal file
View file

@ -0,0 +1,25 @@
import "ecc/edwardsAdd.code" as add
import "ecc/edwardsOnCurve.code" as assertOnCurve
// Function that implements scalar multiplication for a fixed base point
// Curve parameters are defined with the last argument
// The exponent is hard-coded to a 256bit scalar, hence we allow wrapping around the group for certain
// curve parameters.
// Note that the exponent array is not check to be boolean in this gadget
// Reference: https://github.com/zcash-hackworks/sapling-crypto/blob/master/src/jubjub/fs.rs#L555
def main(field[256] exponent, field[2] pt, field[10] context) -> (field[2]):
field[2] infinity = [context[2], context[3]]
field[2] doubledP = pt
field[2] accumulatedP = infinity
for field i in 0..256 do
field j = 255 - i
candidateP = add(accumulatedP, doubledP, context)
accumulatedP = if exponent[j] == 1 then candidateP else accumulatedP fi
doubledP = add(doubledP, doubledP, context)
endfor
1 == assertOnCurve(accumulatedP, context)
return accumulatedP

28
zokrates_stdlib/stdlib/ecc/proofOfOwnership.code Normal file
View file

@ -0,0 +1,28 @@
import "ecc/edwardsAdd.code" as add
import "ecc/edwardsScalarMult.code" as multiply
import "utils/pack/unpack256.code" as unpack256
/// Verifies match of a given public/private keypair.
///
/// Checks if the following equation holds for the provided keypair:
/// pk = sk*G
/// where G is the chosen base point of the subgroup
/// and * denotes scalar multiplication in the subgroup
///
/// Arguments:
/// pk: Curve point. Public key.
/// sk: Field element. Private key.
/// context: Curve parameters (including generator G) used to create keypair.
///
/// Returns:
/// Return 1 for pk/sk being a valid keypair, 0 otherwise.
def main(field[2] pk, field sk, field[10] context) -> (field):
field[2] G = [context[4], context[5]]
field[256] skBits = unpack256(sk)
field[2] ptExp = multiply(skBits, G, context)
field out = if ptExp[0] == pk[0] && ptExp[1] == pk[1] then 1 else 0 fi
return out

15
zokrates_stdlib/stdlib/hashes/sha256/1024bitPadded.code Normal file
View file

@ -0,0 +1,15 @@
import "./1536bit.code" as sha256
// Take two field[256] arrays as input
// and returns their sha256 full round output as an array of 256 field elements.
def main(field[256] a, field[256] b, field[256] c, field[256] d) -> (field[256]):
// Hash is computed on the full 512bit block size
// padding does not fit in the primary block
// add dummy block (single "1" followed by "0" + total length)
field[256] dummyblock1 = [1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
// total length of message is 512 bits: 0b1000000000
field[256] dummyblock2 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
digest = sha256(a, b, c, d, dummyblock1, dummyblock2)
return digest

50
zokrates_stdlib/stdlib/signatures/verifyEddsa.code Normal file
View file

@ -0,0 +1,50 @@
import "hashes/sha256/1024bitPadded.code" as sha256
import "ecc/edwardsScalarMult.code" as scalarMult
import "ecc/edwardsAdd.code" as add
import "utils/pack/unpack256.code" as unpack256
import "ecc/edwardsOnCurve.code" as onCurve
import "ecc/edwardsOrderCheck.code" as orderCheck
/// Verifies an EdDSA Signature.
///
/// Checks the correctness of a given EdDSA Signature (R,S) for the provided
/// public key A and message (M0, M1).
/// This python repo provides the tooling for creating valid signatures:
/// https://github.com/Zokrates/pycrypto
///
/// For more information see:
/// https://en.wikipedia.org/wiki/EdDSA
/// https://eprint.iacr.org/2015/677.pdf
///
/// Arguments:
/// R: Curve point. Hidden version of the per-message nonce.
/// S: Field element. Signature to be verified.
/// A: Curve point. Public part of the key used to create S.
/// M0: 256bit array. First 256bits of the message used to create S .
/// M1: 256bit array. Trailing 256bits of the message used to create S .
/// context: Curve parameters used to create S.
///
/// Returns:
/// Return 1 for S being a valid EdDSA Signature, 0 otherwise.
def main(private field[2] R, private field S, field[2] A, field[256] M0, field[256] M1, field[10] context) -> (field):
field[2] G = [context[4], context[5]]
// Check if R is on curve and if it is not in a small subgroup. A is public input and can be checked offline
field isOnCurve = onCurve(R, context) // throws if R is not on curve
field isPrimeOrder = orderCheck(R, context)
1 == isPrimeOrder
field[256] Rx = unpack256(R[0])
field[256] Ax = unpack256(A[0])
field[256] hRAM = sha256(Rx, Ax, M0, M1)
field[256] sBits = unpack256(S)
field[2] lhs = scalarMult(sBits, G, context)
field[2] AhRAM = scalarMult(hRAM, A, context)
field[2] rhs = add(R, AhRAM, context)
field out = if rhs[0] == lhs[0] && rhs[1] == lhs[1] then 1 else 0 fi
return out

37
zokrates_stdlib/tests/bench/ecc/edwardsAdd.code Normal file
View file

@ -0,0 +1,37 @@
import "ecc/edwardsAdd.code" as add
import "ecc/edwardsNegate.code" as neg
import "ecc/babyjubjubParams.code" as context
// Code to create test cases:
// https://github.com/Zokrates/pycrypto
def testDoubleViaAdd() -> (field):
context = context()
field[2] G = [context[4], context[5]]
field[2] out = add(G, G, context)
out[0] == 17324563846726889236817837922625232543153115346355010501047597319863650987830
out[1] == 20022170825455209233733649024450576091402881793145646502279487074566492066831
return 1
def testIdentities() -> (field):
context = context()
field[2] G = [context[4], context[5]]
field[2] inf = [context[2], context[3]]
G == add(G, inf, context)
field[2] nG = neg(G, context)
field[2] nGaddG = add(G, nG, context)
inf == nGaddG
return 1
def main() -> (field):
1 == testDoubleViaAdd()
1 == testIdentities()
return 1

15
zokrates_stdlib/tests/bench/ecc/edwardsAdd.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/ecc/edwardsAdd.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

21
zokrates_stdlib/tests/bench/ecc/edwardsOnCurve.code Normal file
View file

@ -0,0 +1,21 @@
import "ecc/babyjubjubParams.code" as context
import "ecc/edwardsOnCurve.code" as onCurve
// Code to create test cases:
// https://github.com/Zokrates/pycrypto
def testOnCurveTrue() -> (field):
context = context()
field testU = 17324563846726889236817837922625232543153115346355010501047597319863650987830
field testV = 20022170825455209233733649024450576091402881793145646502279487074566492066831
1 == onCurve([testU, testV], context)
return 1
def main() -> (field):
1 == testOnCurveTrue()
// onCurve throws for false
return 1

15
zokrates_stdlib/tests/bench/ecc/edwardsOnCurve.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/ecc/edwardsOnCurve.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

33
zokrates_stdlib/tests/bench/ecc/edwardsOrderCheck.code Normal file
View file

@ -0,0 +1,33 @@
import "ecc/edwardsOrderCheck.code" as orderCheck
import "ecc/babyjubjubParams.code" as context
// Code to create test cases:
// https://github.com/Zokrates/pycrypto
def testOrderCheckTrue() -> (field):
context = context()
field testU = 17324563846726889236817837922625232543153115346355010501047597319863650987830
field testV = 20022170825455209233733649024450576091402881793145646502279487074566492066831
field out = orderCheck([testU, testV], context)
out == 1
return 1
def testOrderCheckFalse() -> (field):
context = context()
field testU = 4342719913949491028786768530115087822524712248835451589697801404893164183326
field testV = 4826523245007015323400664741523384119579596407052839571721035538011798951543
field out = orderCheck([testU, testV], context)
out == 0
return 1
def main() -> (field):
1 == testOrderCheckFalse()
1 == testOrderCheckTrue()
return 1

15
zokrates_stdlib/tests/bench/ecc/edwardsOrderCheck.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/ecc/edwardsOrderCheck.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

91
zokrates_stdlib/tests/bench/ecc/edwardsScalarMult.code Normal file
View file

@ -0,0 +1,91 @@
import "ecc/babyjubjubParams.code" as context
import "ecc/edwardsScalarMult.code" as mul
// Code to create test cases:
// https://github.com/Zokrates/pycrypto
def testCyclic() -> (field):
context = context()
field[2] G = [context[4], context[5]]
// exp = JUBJUB_E + 1
field[256] exp = [0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1]
field[2] out = mul(exp, G, context)
G == out
return 1
def testMul2() -> (field):
context = context()
field[2] G = [context[4], context[5]]
// exp == 2
field[256] exp = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0]
field[2] out = mul(exp, G, context)
out[0] == 17324563846726889236817837922625232543153115346355010501047597319863650987830
out[1] == 20022170825455209233733649024450576091402881793145646502279487074566492066831
return 1
def testAssociativity() -> (field):
context = context()
field[2] G = [context[4], context[5]]
// a = 1234
field[256] a = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0]
// b = 5678
field[256] b = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0]
// c = 7890
field[256] c = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0]
field[2] Ga = mul(a, G, context)
field[2] Gab = mul(b, Ga, context)
field[2] Gabc = mul(c, Gab, context)
field[2] Gb = mul(b, G, context)
field[2] Gbc = mul(c, Gb, context)
field[2] Gbca = mul(a, Gbc, context)
field[2] Gc = mul(c, G, context)
field[2] Gca = mul(a, Gc, context)
field[2] Gcab = mul(b, Gca, context)
Gabc == Gbca
Gbca == Gcab
Gabc == Gcab
return 1
def testMultiplicative() -> (field):
context = context()
field[2] G = [context[4], context[5]]
// a = 1234
field[256] a = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0]
// b = 5678
field[256] b = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0]
// ab = a*b = 7006652
field[256] ab = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0]
field[2] Ga = mul(a, G, context)
field[2] Gb = mul(b, G, context)
field[2] Gab = mul(b, Ga, context)
field[2] Gba = mul(a, Gb, context)
field[2] Gmab = mul(ab, G, context)
Gab == Gba
Gba == Gmab
Gab == Gmab
return 1
def main() -> (field):
1 == testMul2()
1 == testCyclic()
1 == testAssociativity()
1 == testMultiplicative()
return 1

15
zokrates_stdlib/tests/bench/ecc/edwardsScalarMult.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/ecc/edwardsScalarMult.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

35
zokrates_stdlib/tests/bench/ecc/proofOfOwnership.code Normal file
View file

@ -0,0 +1,35 @@
import "ecc/babyjubjubParams.code" as context
import "ecc/proofOfOwnership.code" as proofOfOwnership
import "ecc/edwardsScalarMult.code" as multiply
import "utils/pack/unpack256.code" as unpack256
// Code to create test cases:
// https://github.com/Zokrates/pycrypto
def testOwnershipTrue() -> (field):
context = context()
field[2] G = [context[4], context[5]]
field[2] Pk = [14897476871502190904409029696666322856887678969656209656241038339251270171395, 16668832459046858928951622951481252834155254151733002984053501254009901876174]
field sk = 1997011358982923168928344992199991480689546837621580239342656433234255379025
field out = proofOfOwnership(Pk, sk, context)
out == 1
return 1
def testtOwnershipFalse() -> (field):
context = context()
field[2] Pk = [16328093915569409528980874702678312730273137210288183490878184636452430630129, 9377227749598842756429258362864743065769435972445705966557343775367597326529]
field sk = 1997011358982923168928344992199991480689546837621580239342656433234255379025
field out = proofOfOwnership(Pk, sk, context)
out == 0
return 1
def main() -> (field):
1 == testOwnershipTrue()
1 == testtOwnershipFalse()
return 1

15
zokrates_stdlib/tests/bench/ecc/proofOfOwnership.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/ecc/proofOfOwnership.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

0
zokrates_cli/examples/TestStdlib/hashes/sha256/test512bit.code → zokrates_stdlib/tests/bench/hashes/sha256/512bit.code
View file

15
zokrates_stdlib/tests/bench/hashes/sha256/512bit.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/hashes/sha256/512bit.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

0
zokrates_cli/examples/TestStdlib/hashes/sha256/test512bitPacked.code → zokrates_stdlib/tests/bench/hashes/sha256/512bitPacked.code
View file

0
zokrates_stdlib/tests/bench/hash/512bitPacked.json → zokrates_stdlib/tests/bench/hashes/sha256/512bitPacked.json
View file

15
zokrates_stdlib/tests/bench/hashes/sha256/512bitPacked2.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/hashes/sha256/512bitPacked.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

0
zokrates_cli/examples/TestStdlib/hashes/sha256/test512bitPadded.code → zokrates_stdlib/tests/bench/hashes/sha256/512bitPadded.code
View file

15
zokrates_stdlib/tests/bench/hashes/sha256/512bitPadded.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/hashes/sha256/512bitPadded.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

22
zokrates_stdlib/tests/bench/signatures/verifyEddsa.code Normal file
View file

@ -0,0 +1,22 @@
import "signatures/verifyEddsa.code" as verifyEddsa
import "ecc/babyjubjubParams.code" as context
// Code to create test case:
// https://github.com/Zokrates/pycrypto
def main() -> (field):
context = context()
field[2] R = [20197911405516193152560090893341588680064377398162745404177962124159545390767, 9171190326927340493105240100684097896571028312802691203521747450053192554927]
field S = 6050429445242986634735172402304257690628456074852538287769363221635064371045
// Private Key
field[2] A = [14897476871502190904409029696666322856887678969656209656241038339251270171395, 16668832459046858928951622951481252834155254151733002984053501254009901876174]
field[256] M0 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
field[256] M1 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1]
field isVerified = verifyEddsa(R, S, A, M0, M1, context)
isVerified == 1
return 1

15
zokrates_stdlib/tests/bench/signatures/verifyEddsa.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/signatures/verifyEddsa.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

28
zokrates_stdlib/tests/bench/utils/multiplexer/2bit.code Normal file
View file

@ -0,0 +1,28 @@
import "utils/multiplexer/2bit.code" as multiplex
def left() -> (field):
field bit = 0 //left
field[2] a = [0, 1]
field[2] b = [1, 0]
field[2] output = [0, 1]
output == multiplex(bit, a, b)
return 1
def right() -> (field):
field bit = 1 //left
field[2] a = [0, 1]
field[2] b = [1, 0]
field[2] output = [1, 0]
output == multiplex(bit, a, b)
return 1
def main() -> (field):
1 == left()
1 == right()
return 1

15
zokrates_stdlib/tests/bench/utils/multiplexer/2bit.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/utils/multiplexer/2bit.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

0
zokrates_cli/examples/TestStdlib/utils/pack/testpack128.code → zokrates_stdlib/tests/bench/utils/pack/pack128.code
View file

15
zokrates_stdlib/tests/bench/utils/pack/pack128.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/utils/pack/pack128.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

0
zokrates_cli/examples/TestStdlib/utils/pack/testunpack128.code → zokrates_stdlib/tests/bench/utils/pack/unpack128.code
View file

15
zokrates_stdlib/tests/bench/utils/pack/unpack128.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/utils/pack/unpack128.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}

0
zokrates_cli/examples/TestStdlib/utils/pack/testunpack256.code → zokrates_stdlib/tests/bench/utils/pack/unpack256.code
View file

15
zokrates_stdlib/tests/bench/utils/pack/unpack256.json Normal file
View file

@ -0,0 +1,15 @@
{
"entry_point": "./tests/bench/utils/pack/unpack256.code",
"tests": [
{
"input": {
"values": []
},
"output": {
"Ok": {
"values": ["1"]
}
}
}
]
}