Merge pull request #8 from zkp-application/add_mont_exp

feat(mont exponent): add mont exp alg

Author: jacksoom

circuits/mont_exp.circom

@@ -0,0 +1,67 @@
+include "./montgomery.circom"
+// r = 2 ^ (n * w). n is the modulus word count
+// p_a = a * r mod modulus
+// p_A = r mod modulus
+// output A = (a ^ e) mod(p)
+template mont_exp(w, nb) {
+    signal input p_a[nb];
+    signal input p_A[nb];
+
+    signal input exp;
+    signal input m0inv;
+    signal input modulus[nb];
+
+
+    signal output out[nb];
+
+    exp === 65537;
+    
+    component muls[19];
+    for (var i = 0; i< 19; i++) {
+        muls[i] = mont_cios(w, nb);
+
+        muls[i].m0inv <-- m0inv;
+
+        for (var j = 0; j < nb; j++) {
+            muls[i].modulus[j] <-- modulus[j];
+        }
+
+        if (i == 0) {
+            for (var j = 0; j < nb; j++) {
+                muls[i].x[j] <-- p_A[j];
+                muls[i].y[j] <-- p_A[j];
+            }
+        } else if (i == 1 || i == 18) {
+            for (var j = 0; j < nb; j++) {
+                muls[i].x[j] <-- muls[i - 1].out[j];
+                muls[i].y[j] <-- p_a[j];
+            }
+        } else {
+            for (var j = 0; j < nb; j++) {
+                muls[i].x[j] <-- muls[i - 1].out[j];
+                muls[i].y[j] <-- muls[i - 1].out[j];
+            } 
+        }
+    }
+
+    // A <- MontPr(p_A, 1);
+    component result_mul = mont_cios(w, nb);
+
+    result_mul.m0inv <-- m0inv;
+
+    for (var j = 0; j < nb; j++) {
+        result_mul.modulus[j] <-- modulus[j];
+        result_mul.x[j] <-- muls[18].out[j];
+
+        if (j == 0) {
+            result_mul.y[j] <-- 1;
+        }else {
+            result_mul.y[j] <-- 0;
+        }
+    }
+
+
+    for (var i = 0; i< nb; i++) {
+        out[i] <-- result_mul.out[i];
+    }
+}

circuits/montgomery.circom

@@ -11,7 +11,7 @@ template mont_mul(w, nb) {
 
     signal output out [nb];
 
-    component montPr = mont_pr_cios(w, nb);
+    component montPr = mont_cios(w, nb);
 
     for (var i = 0; i < nb; i++) {
         montPr.x[i] <-- pre_compute_a[i];
@@ -29,7 +29,7 @@ template mont_mul(w, nb) {
 // Montgomery modular multiplication. CIOS alg
 // Souce paper from https://www.microsoft.com/en-us/research/wp-content/uploads/1998/06/97Acar.pdf
 // (x * y) mod modulus
-template mont_pr_cios(w, nb) {
+template mont_cios(w, nb) {
     signal input x[nb];
     signal input y[nb];
     signal input modulus[nb];
@@ -92,7 +92,6 @@ template mont_pr_cios(w, nb) {
 }
 
 // a > modulus ? a - modulus : a;
-// 
 template normalize(w, nb) {
     signal input a[nb];
     signal input modulus[nb];
@@ -123,7 +122,6 @@ template normalize(w, nb) {
         }
     } else {
          // out =  a - m;
-
         for (var i = 0; i< nb; i++) {
             temp = a[i];
 

test/circuits/mont_exp.circom

@@ -0,0 +1,3 @@
+include "../../circuits/mont_exp.circom"
+
+component main = mont_exp(64, 32);

test/circuits/montgomery.circom renamed to test/circuits/montgomery_64_32.circom

@@ -1,3 +1,3 @@
 include "../../circuits/montgomery.circom"
 
-component main = mont_pr_cios(64, 4);
+component main = mont_cios(64, 32);

test/circuits/montgomery_64_4.circom

@@ -0,0 +1,3 @@
+include "../../circuits/montgomery.circom"
+
+component main = mont_cios(64, 4);

test/mont_exp.js

@@ -0,0 +1,55 @@
+const path = require("path");
+
+const bigInt = require("big-integer");
+const Scalar = require("ffjavascript").Scalar;
+const tester = require("circom").tester;
+
+const { splitToArray } = require("./util.js");
+
+
+describe("montgomery exponent 64bits/4words", function () {
+    this.timeout(100000);
+
+    let circuit;
+    before(async () => {
+        circuit = await tester(path.join(__dirname, "circuits", "mont_exp.circom"));
+    });
+
+    it("64bits/4words. and mod = 52435875175126190479447740508185965837690552500527637822603658699938581184513", async () => {
+
+        const modulus = bigInt("24226501697440012621102249466312043787685293040734225606346036389705515508545746221669035424138747582133889500686654172873671086178893587422987328751464627501601101326475761646014534358699943642495332701081302954020983110372109611581202820849485662540890985814355975252780310958088652613376767040069489530039075302709233494829280591680666351811024913107949144932224439129715181798714328219977771472462901856297952813239115577652450722815852332547886777292613005505949100406231716599634852632308325816916535875123863510650526931916871614411907700873376659841257216885666098127478325534982891697988739616416855214839339");
+
+        const m0inv = "4736324870124914557";
+
+        const sign = bigInt("27166015521685750287064830171899789431519297967327068200526003963687696216659347317736779094212876326032375924944649760206771585778103092909024744594654706678288864890801000499430246054971129440518072676833029702477408973737931913964693831642228421821166326489172152903376352031367604507095742732994611253344812562891520292463788291973539285729019102238815435155266782647328690908245946607690372534644849495733662205697837732960032720813567898672483741410294744324300408404611458008868294953357660121510817012895745326996024006347446775298357303082471522757091056219893320485806442481065207020262668955919408138704593");
+
+        // p_A = (2 ** (64 * 32)) % modulus
+        const p_A = bigInt("8090504373870994679612627222357908172758809628981258425784309037819139630322144671528165987384165881554828460235243846620448472971597333672100823634983655619029776040825234445735663391689708464300724937302764614255809108270510144580635273488990507929690660037680329790107264933452413195230785359054440855482839030680434847591404383105898217683831262927377177125853366529615844393994132094172487120401275260427990790479346279705147628336449313356516920320620281725278025278479103610090304469418605506553142667456793187284519065351481384226307824293012777494286385249767131477166992943622060450204816237194204381391317");
+
+        // p_a = (a * r) % modulus
+        const p_a = bigInt("19072154410336807139418696976260212968540675922546765752736826145996869655756622548873347455947248021050921538311171789715523470247724251557601058125103625700941761034646698858071310182565269768981168519584711995302991904285228697391419713388819104994438114806716920075484924844137359380134009667510391269169076279760491579238026910153675786149676670940528964362751766341740256137008228081948558082219709238817789460567174381895573690274674295098414261384354408417638073989695885913898217149419056478104428576834037267113663842145482274989462614945861102288293269483256693676536058880107741774817376564564751474668870");
+
+        var testCases = [{
+            description: "calc powerMod",
+            input: {
+                // 1844674407370955161600
+                p_a: splitToArray(p_a, 64, 32),
+                p_A: splitToArray(p_A, 64, 32),
+
+                exp: 65537,
+                modulus: splitToArray(modulus, 64, 32),
+                m0inv: m0inv,
+            },
+            output: { out: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] },
+        }];
+
+
+        for (var i = 0; i < testCases.length; i++) {
+            const witness = await circuit.calculateWitness(testCases[i].input, true);
+
+            await circuit.assertOut(witness, testCases[i].output);
+        }
+    });
+});
+
+

test/montgomery_reduction.js

@@ -12,7 +12,7 @@ describe("montgomery reduction 64bits/4words", function () {
 
     let circuit;
     before(async () => {
-        circuit = await tester(path.join(__dirname, "circuits", "montgomery.circom"));
+        circuit = await tester(path.join(__dirname, "circuits", "montgomery_64_4.circom"));
     });
 
     it("64bits/4words. and mod = 52435875175126190479447740508185965837690552500527637822603658699938581184513", async () => {
@@ -61,4 +61,3 @@ describe("montgomery reduction 64bits/4words", function () {
         }
     });
 });
-

test/montgomery_reduction_64_32.js

@@ -0,0 +1,90 @@
+const path = require("path");
+
+const bigInt = require("big-integer");
+const Scalar = require("ffjavascript").Scalar;
+const tester = require("circom").tester;
+
+const { splitToArray } = require("./util.js");
+
+
+describe("montgomery reduction 64bits/32words", function () {
+    this.timeout(100000);
+
+    let circuit;
+    before(async () => {
+        circuit = await tester(path.join(__dirname, "circuits", "montgomery_64_32.circom"));
+    });
+
+    it("64bits/4words. and mod = 52435875175126190479447740508185965837690552500527637822603658699938581184513", async () => {
+
+        const modulus = bigInt("27333278531038650284292446400685983964543820405055158402397263907659995327446166369388984969315774410223081038389734916442552953312548988147687296936649645550823280957757266695625382122565413076484125874545818286099364801140117875853249691189224238587206753225612046406534868213180954324992542640955526040556053150097561640564120642863954208763490114707326811013163227280580130702236406906684353048490731840275232065153721031968704703853746667518350717957685569289022049487955447803273805415754478723962939325870164033644600353029240991739641247820015852898600430315191986948597672794286676575642204004244219381500407");
+
+        const m0inv = "12890617734997456953";
+
+        const sign = bigInt("27166015521685750287064830171899789431519297967327068200526003963687696216659347317736779094212876326032375924944649760206771585778103092909024744594654706678288864890801000499430246054971129440518072676833029702477408973737931913964693831642228421821166326489172152903376352031367604507095742732994611253344812562891520292463788291973539285729019102238815435155266782647328690908245946607690372534644849495733662205697837732960032720813567898672483741410294744324300408404611458008868294953357660121510817012895745326996024006347446775298357303082471522757091056219893320485806442481065207020262668955919408138704593");
+
+        // p_A = (2 ** (64 * 32)) % modulus
+        const p_A = bigInt("8090504373870994679612627222357908172758809628981258425784309037819139630322144671528165987384165881554828460235243846620448472971597333672100823634983655619029776040825234445735663391689708464300724937302764614255809108270510144580635273488990507929690660037680329790107264933452413195230785359054440855482839030680434847591404383105898217683831262927377177125853366529615844393994132094172487120401275260427990790479346279705147628336449313356516920320620281725278025278479103610090304469418605506553142667456793187284519065351481384226307824293012777494286385249767131477166992943622060450204816237194204381391317");
+
+        const r = bigInt("32317006071311007300714876688669951960444102669715484032130345427524655138867890893197201411522913463688717960921898019494119559150490921095088152386448283120630877367300996091750197750389652106796057638384067568276792218642619756161838094338476170470581645852036305042887575891541065808607552399123930385521914333389668342420684974786564569494856176035326322058077805659331026192708460314150258592864177116725943603718461857357598351152301645904403697613233287231227125684710820209725157101726931323469678542580656697935045997268352998638215525166389437335543602135433229604645318478604952148193555853611059596230656");
+        // p_a = (a * r) % modulus
+        const p_a = sign.multiply(r).mod(modulus);
+
+
+        const result = sign.multiply(sign).mod(modulus);
+
+       // console.log("result", splitToArray(result, 64, 32));
+
+        var testCases = [{
+            description: "one word",
+            input: {
+                x: splitToArray(p_a, 64, 32),
+                y: splitToArray(sign, 64, 32),
+                modulus: splitToArray(modulus, 64, 32),
+                m0inv: m0inv,
+            },
+            output: {
+                out: [
+                    "6726338490320059920",
+                    "10912188918279059842",
+                    "9480684547274909370",
+                    "17957855819450938343",
+                    "14472935173278472155",
+                    "7079099867353219214",
+                    "16449430926296343172",
+                    "5104880238183543706",
+                    "10665479437761628207",
+                    "5855523454381758411",
+                    "10461162232393809384",
+                    "8506503615129027292",
+                    "713958493375598634",
+                    "6870643563889906329",
+                    "6496643502438963194",
+                    "3333526337816518494",
+                    "7059814241034669637",
+                    "11046528448239496056",
+                    "8821061847720768545",
+                    "8804814027843795770",
+                    "9550990298891609521",
+                    "4546832636732460115",
+                    "11005916837189288046",
+                    "6747247992486122322",
+                    "8062076261952398748",
+                    "11274417876012308159",
+                    "12082695046704314515",
+                    "9977902230884319566",
+                    "8117196317861485583",
+                    "6870310691445046553",
+                    "15178250919948156997",
+                    "13075022197409122935"]
+            },
+        }]
+
+
+        for (var i = 0; i < testCases.length; i++) {
+            const witness = await circuit.calculateWitness(testCases[i].input, true);
+
+            await circuit.assertOut(witness, testCases[i].output);
+        }
+    });
+});

test/montgomery_reduction_64_4.js

@@ -0,0 +1,63 @@
+const path = require("path");
+
+const bigInt = require("big-integer");
+const Scalar = require("ffjavascript").Scalar;
+const tester = require("circom").tester;
+
+const { splitToArray } = require("./util.js");
+
+
+describe("montgomery reduction 64bits/4words", function () {
+    this.timeout(100000);
+
+    let circuit;
+    before(async () => {
+        circuit = await tester(path.join(__dirname, "circuits", "montgomery_64_4.circom"));
+    });
+
+    it("64bits/4words. and mod = 52435875175126190479447740508185965837690552500527637822603658699938581184513", async () => {
+
+        const modulus = splitToArray(bigInt("52435875175126190479447740508185965837690552500527637822603658699938581184513"), 64, 4);
+        const m0inv = "18446744069414584319";
+
+
+        var testCases = [{
+            description: "one word",
+            input: {
+                x: splitToArray(bigInt("1844674407370955161600"), 64, 4),
+                y: splitToArray(bigInt("100"), 64, 4),
+                // 52435875175126190479447740508185965837690552500527637822603658699938581184513
+                modulus: modulus,
+                m0inv: m0inv,
+            },
+            output: { out: [0, 0, 10000, 0] },
+        }, {
+            description: "two words",
+            input: {
+                x: splitToArray(bigInt("184467440737095516161561654"), 64, 4),
+                y: splitToArray(bigInt("184467440737095516161561654"), 64, 4),
+                // 52435875175126190479447740508185965837690552500527637822603658699938581184513
+                modulus: modulus,
+                m0inv: m0inv,
+            },
+            output: { out: [2438763215716, 31233080000000, 100000000000000, 0] },
+        }, {
+            description: "Four words",
+            input: {
+                x: ['9366702579560100036', '3153357315881433552', '1550162754830709279', '3363521531482743643'],
+                y: splitToArray(bigInt("12389174593798789739243342131821798678432796312321"), 64, 4),
+                // 52435875175126190479447740508185965837690552500527637822603658699938581184513
+                modulus: modulus,
+                m0inv: m0inv,
+            },
+            output: { out: ['11877590625878374308', '91176932193565308', '14825753355501141940', '4643043795916575606'] },
+        }
+        ]
+
+
+        for (var i = 0; i < testCases.length; i++) {
+            const witness = await circuit.calculateWitness(testCases[i].input, true);
+            await circuit.assertOut(witness, testCases[i].output);
+        }
+    });
+});