Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: implement keccakf1600 in brillig #3914

Merged
merged 7 commits into from
Jan 11, 2024
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions barretenberg/cpp/src/barretenberg/dsl/acir_format/serde/acir.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -466,6 +466,15 @@ struct BlackBoxOp {
static Keccak256 bincodeDeserialize(std::vector<uint8_t>);
};

struct Keccakf1600 {
Circuit::HeapVector message;
Circuit::HeapArray output;

friend bool operator==(const Keccakf1600&, const Keccakf1600&);
std::vector<uint8_t> bincodeSerialize() const;
static Keccakf1600 bincodeDeserialize(std::vector<uint8_t>);
};

struct EcdsaSecp256k1 {
Circuit::HeapVector hashed_msg;
Circuit::HeapArray public_key_x;
Expand Down Expand Up @@ -558,6 +567,7 @@ struct BlackBoxOp {
Blake2s,
Blake3,
Keccak256,
Keccakf1600,
EcdsaSecp256k1,
EcdsaSecp256r1,
SchnorrVerify,
Expand Down Expand Up @@ -3148,6 +3158,58 @@ Circuit::BlackBoxOp::Keccak256 serde::Deserializable<Circuit::BlackBoxOp::Keccak

namespace Circuit {

inline bool operator==(const BlackBoxOp::Keccakf1600& lhs, const BlackBoxOp::Keccakf1600& rhs)
{
if (!(lhs.message == rhs.message)) {
return false;
}
if (!(lhs.output == rhs.output)) {
return false;
}
return true;
}

inline std::vector<uint8_t> BlackBoxOp::Keccakf1600::bincodeSerialize() const
{
auto serializer = serde::BincodeSerializer();
serde::Serializable<BlackBoxOp::Keccakf1600>::serialize(*this, serializer);
return std::move(serializer).bytes();
}

inline BlackBoxOp::Keccakf1600 BlackBoxOp::Keccakf1600::bincodeDeserialize(std::vector<uint8_t> input)
{
auto deserializer = serde::BincodeDeserializer(input);
auto value = serde::Deserializable<BlackBoxOp::Keccakf1600>::deserialize(deserializer);
if (deserializer.get_buffer_offset() < input.size()) {
throw_or_abort("Some input bytes were not read");
}
return value;
}

} // end of namespace Circuit

template <>
template <typename Serializer>
void serde::Serializable<Circuit::BlackBoxOp::Keccakf1600>::serialize(const Circuit::BlackBoxOp::Keccakf1600& obj,
Serializer& serializer)
{
serde::Serializable<decltype(obj.message)>::serialize(obj.message, serializer);
serde::Serializable<decltype(obj.output)>::serialize(obj.output, serializer);
}

template <>
template <typename Deserializer>
Circuit::BlackBoxOp::Keccakf1600 serde::Deserializable<Circuit::BlackBoxOp::Keccakf1600>::deserialize(
Deserializer& deserializer)
{
Circuit::BlackBoxOp::Keccakf1600 obj;
obj.message = serde::Deserializable<decltype(obj.message)>::deserialize(deserializer);
obj.output = serde::Deserializable<decltype(obj.output)>::deserialize(deserializer);
return obj;
}

namespace Circuit {

inline bool operator==(const BlackBoxOp::EcdsaSecp256k1& lhs, const BlackBoxOp::EcdsaSecp256k1& rhs)
{
if (!(lhs.hashed_msg == rhs.hashed_msg)) {
Expand Down
52 changes: 51 additions & 1 deletion noir/acvm-repo/acir/codegen/acir.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -446,6 +446,15 @@ namespace Circuit {
static Keccak256 bincodeDeserialize(std::vector<uint8_t>);
};

struct Keccakf1600 {
Circuit::HeapVector message;
Circuit::HeapArray output;

friend bool operator==(const Keccakf1600&, const Keccakf1600&);
std::vector<uint8_t> bincodeSerialize() const;
static Keccakf1600 bincodeDeserialize(std::vector<uint8_t>);
};

struct EcdsaSecp256k1 {
Circuit::HeapVector hashed_msg;
Circuit::HeapArray public_key_x;
Expand Down Expand Up @@ -534,7 +543,7 @@ namespace Circuit {
static EmbeddedCurveDouble bincodeDeserialize(std::vector<uint8_t>);
};

std::variant<Sha256, Blake2s, Blake3, Keccak256, EcdsaSecp256k1, EcdsaSecp256r1, SchnorrVerify, PedersenCommitment, PedersenHash, FixedBaseScalarMul, EmbeddedCurveAdd, EmbeddedCurveDouble> value;
std::variant<Sha256, Blake2s, Blake3, Keccak256, Keccakf1600, EcdsaSecp256k1, EcdsaSecp256r1, SchnorrVerify, PedersenCommitment, PedersenHash, FixedBaseScalarMul, EmbeddedCurveAdd, EmbeddedCurveDouble> value;

friend bool operator==(const BlackBoxOp&, const BlackBoxOp&);
std::vector<uint8_t> bincodeSerialize() const;
Expand Down Expand Up @@ -2686,6 +2695,47 @@ Circuit::BlackBoxOp::Keccak256 serde::Deserializable<Circuit::BlackBoxOp::Keccak
return obj;
}

namespace Circuit {

inline bool operator==(const BlackBoxOp::Keccakf1600 &lhs, const BlackBoxOp::Keccakf1600 &rhs) {
if (!(lhs.message == rhs.message)) { return false; }
if (!(lhs.output == rhs.output)) { return false; }
return true;
}

inline std::vector<uint8_t> BlackBoxOp::Keccakf1600::bincodeSerialize() const {
auto serializer = serde::BincodeSerializer();
serde::Serializable<BlackBoxOp::Keccakf1600>::serialize(*this, serializer);
return std::move(serializer).bytes();
}

inline BlackBoxOp::Keccakf1600 BlackBoxOp::Keccakf1600::bincodeDeserialize(std::vector<uint8_t> input) {
auto deserializer = serde::BincodeDeserializer(input);
auto value = serde::Deserializable<BlackBoxOp::Keccakf1600>::deserialize(deserializer);
if (deserializer.get_buffer_offset() < input.size()) {
throw serde::deserialization_error("Some input bytes were not read");
}
return value;
}

} // end of namespace Circuit

template <>
template <typename Serializer>
void serde::Serializable<Circuit::BlackBoxOp::Keccakf1600>::serialize(const Circuit::BlackBoxOp::Keccakf1600 &obj, Serializer &serializer) {
serde::Serializable<decltype(obj.message)>::serialize(obj.message, serializer);
serde::Serializable<decltype(obj.output)>::serialize(obj.output, serializer);
}

template <>
template <typename Deserializer>
Circuit::BlackBoxOp::Keccakf1600 serde::Deserializable<Circuit::BlackBoxOp::Keccakf1600>::deserialize(Deserializer &deserializer) {
Circuit::BlackBoxOp::Keccakf1600 obj;
obj.message = serde::Deserializable<decltype(obj.message)>::deserialize(deserializer);
obj.output = serde::Deserializable<decltype(obj.output)>::deserialize(deserializer);
return obj;
}

namespace Circuit {

inline bool operator==(const BlackBoxOp::EcdsaSecp256k1 &lhs, const BlackBoxOp::EcdsaSecp256k1 &rhs) {
Expand Down
79 changes: 0 additions & 79 deletions noir/acvm-repo/acvm/src/pwg/blackbox/hash.rs
Original file line number Diff line number Diff line change
Expand Up @@ -86,82 +86,3 @@ fn write_digest_to_outputs(

Ok(())
}

const ROUNDS: usize = 24;

const RC: [u64; ROUNDS] = [
1u64,
0x8082u64,
0x800000000000808au64,
0x8000000080008000u64,
0x808bu64,
0x80000001u64,
0x8000000080008081u64,
0x8000000000008009u64,
0x8au64,
0x88u64,
0x80008009u64,
0x8000000au64,
0x8000808bu64,
0x800000000000008bu64,
0x8000000000008089u64,
0x8000000000008003u64,
0x8000000000008002u64,
0x8000000000000080u64,
0x800au64,
0x800000008000000au64,
0x8000000080008081u64,
0x8000000000008080u64,
0x80000001u64,
0x8000000080008008u64,
];

const RHO: [u32; 24] =
[1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44];

const PI: [usize; 24] =
[10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1];

const KECCAK_LANES: usize = 25;

pub(crate) fn keccakf1600(state: &mut [u64; KECCAK_LANES]) {
for rc in RC {
let mut array: [u64; 5] = [0; 5];

// Theta
for x in 0..5 {
for y_count in 0..5 {
let y = y_count * 5;
array[x] ^= state[x + y];
}
}

for x in 0..5 {
for y_count in 0..5 {
let y = y_count * 5;
state[y + x] ^= array[(x + 4) % 5] ^ array[(x + 1) % 5].rotate_left(1);
}
}

// Rho and pi
let mut last = state[1];
for x in 0..24 {
array[0] = state[PI[x]];
state[PI[x]] = last.rotate_left(RHO[x]);
last = array[0];
}

// Chi
for y_step in 0..5 {
let y = y_step * 5;
array[..5].copy_from_slice(&state[y..(5 + y)]);

for x in 0..5 {
state[y + x] = array[x] ^ ((!array[(x + 1) % 5]) & (array[(x + 2) % 5]));
}
}

// Iota
state[0] ^= rc;
}
}
8 changes: 4 additions & 4 deletions noir/acvm-repo/acvm/src/pwg/blackbox/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ use acir::{
native_types::{Witness, WitnessMap},
FieldElement,
};
use acvm_blackbox_solver::{blake2s, blake3, keccak256, sha256};
use acvm_blackbox_solver::{blake2s, blake3, keccak256, keccakf1600, sha256};

use self::{hash::keccakf1600, pedersen::pedersen_hash};
use self::pedersen::pedersen_hash;

use super::{insert_value, OpcodeNotSolvable, OpcodeResolutionError};
use crate::{pwg::witness_to_value, BlackBoxFunctionSolver};
Expand Down Expand Up @@ -119,8 +119,8 @@ pub(crate) fn solve(
let lane = witness_assignment.try_to_u64();
state[i] = lane.unwrap();
}
keccakf1600(&mut state);
for (output_witness, value) in outputs.iter().zip(state.into_iter()) {
let output_state = keccakf1600(state)?;
for (output_witness, value) in outputs.iter().zip(output_state.into_iter()) {
insert_value(output_witness, FieldElement::from(value as u128), initial_witness)?;
}
Ok(())
Expand Down
86 changes: 86 additions & 0 deletions noir/acvm-repo/blackbox_solver/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,92 @@ fn generic_hash_256<D: Digest>(message: &[u8]) -> Result<[u8; 32], String> {
Ok(output_bytes)
}

pub fn keccakf1600(
mut state: [u64; KECCAK_LANES],
) -> Result<[u64; KECCAK_LANES], BlackBoxResolutionError> {
keccakf1600_internal(&mut state);
Ok(state)
}

const ROUNDS: usize = 24;

const RC: [u64; ROUNDS] = [
1u64,
0x8082u64,
0x800000000000808au64,
0x8000000080008000u64,
0x808bu64,
0x80000001u64,
0x8000000080008081u64,
0x8000000000008009u64,
0x8au64,
0x88u64,
0x80008009u64,
0x8000000au64,
0x8000808bu64,
0x800000000000008bu64,
0x8000000000008089u64,
0x8000000000008003u64,
0x8000000000008002u64,
0x8000000000000080u64,
0x800au64,
0x800000008000000au64,
0x8000000080008081u64,
0x8000000000008080u64,
0x80000001u64,
0x8000000080008008u64,
];

const RHO: [u32; 24] =
[1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44];

const PI: [usize; 24] =
[10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1];

const KECCAK_LANES: usize = 25;

fn keccakf1600_internal(state: &mut [u64; KECCAK_LANES]) {
for rc in RC {
let mut array: [u64; 5] = [0; 5];

// Theta
for x in 0..5 {
for y_count in 0..5 {
let y = y_count * 5;
array[x] ^= state[x + y];
}
}

for x in 0..5 {
for y_count in 0..5 {
let y = y_count * 5;
state[y + x] ^= array[(x + 4) % 5] ^ array[(x + 1) % 5].rotate_left(1);
}
}

// Rho and pi
let mut last = state[1];
for x in 0..24 {
array[0] = state[PI[x]];
state[PI[x]] = last.rotate_left(RHO[x]);
last = array[0];
}

// Chi
for y_step in 0..5 {
let y = y_step * 5;
array[..5].copy_from_slice(&state[y..(5 + y)]);

for x in 0..5 {
state[y + x] = array[x] ^ ((!array[(x + 1) % 5]) & (array[(x + 2) % 5]));
}
}

// Iota
state[0] ^= rc;
}
}

fn verify_secp256k1_ecdsa_signature(
hashed_msg: &[u8],
public_key_x_bytes: &[u8; 32],
Expand Down
12 changes: 6 additions & 6 deletions noir/acvm-repo/bn254_blackbox_solver/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -90,18 +90,18 @@ impl BlackBoxFunctionSolver for Bn254BlackBoxSolver {

fn ec_add(
&self,
input1_x: &FieldElement,
input1_y: &FieldElement,
input2_x: &FieldElement,
input2_y: &FieldElement,
_input1_x: &FieldElement,
_input1_y: &FieldElement,
_input2_x: &FieldElement,
_input2_y: &FieldElement,
) -> Result<(FieldElement, FieldElement), BlackBoxResolutionError> {
todo!();
}

fn ec_double(
&self,
input_x: &FieldElement,
input_y: &FieldElement,
_input_x: &FieldElement,
_input_y: &FieldElement,
) -> Result<(FieldElement, FieldElement), BlackBoxResolutionError> {
todo!();
}
Expand Down
2 changes: 2 additions & 0 deletions noir/acvm-repo/brillig/src/black_box.rs
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ pub enum BlackBoxOp {
Blake3 { message: HeapVector, output: HeapArray },
/// Calculates the Keccak256 hash of the inputs.
Keccak256 { message: HeapVector, output: HeapArray },
/// Keccak Permutation function of 1600 width
Keccakf1600 { message: HeapVector, output: HeapArray },
/// Verifies a ECDSA signature over the secp256k1 curve.
EcdsaSecp256k1 {
hashed_msg: HeapVector,
Expand Down
Loading