diff --git a/circuits/circom/verify_nullifier.circom b/circuits/circom/verify_nullifier.circom index 7af8af3..396d2c7 100644 --- a/circuits/circom/verify_nullifier.circom +++ b/circuits/circom/verify_nullifier.circom @@ -29,6 +29,10 @@ template plume_v1(n, k, message_length) { signal input q1_x_mapped[4]; signal input q1_y_mapped[4]; + // compressing public key here to avoid compressing it twice in both `check_ec_equations1 and `sha256_12_coordinates` + component pk_compressor = compress_ec_point(n, k); + pk_compressor.uncompressed <== pk; + // precomputed value for the sha256 component. TODO: calculate internally in circom to simplify API signal input sha256_preimage_bit_length; @@ -36,7 +40,7 @@ template plume_v1(n, k, message_length) { check_ec_equations.c <== c; check_ec_equations.s <== s; - check_ec_equations.pk <== pk; + check_ec_equations.pk <== pk_compressor.compressed; check_ec_equations.nullifier <== nullifier; check_ec_equations.plume_message <== plume_message; @@ -59,15 +63,15 @@ template plume_v1(n, k, message_length) { g[0] = get_genx(n, k); g[1] = get_geny(n, k); c_sha256.preimage_bit_length <== sha256_preimage_bit_length; + c_sha256.pk_compressed <== pk_compressor.compressed; for (var i = 0; i < 2; i++) { for (var j = 0; j < k; j++) { c_sha256.coordinates[i][j] <== g[i][j]; - c_sha256.coordinates[2+i][j] <== pk[i][j]; - c_sha256.coordinates[4+i][j] <== check_ec_equations.hashed_to_curve[i][j]; - c_sha256.coordinates[6+i][j] <== nullifier[i][j]; - c_sha256.coordinates[8+i][j] <== check_ec_equations.r_point[i][j]; - c_sha256.coordinates[10+i][j] <== check_ec_equations.hashed_to_curve_r[i][j]; + c_sha256.coordinates[2+i][j] <== check_ec_equations.hashed_to_curve[i][j]; + c_sha256.coordinates[4+i][j] <== nullifier[i][j]; + c_sha256.coordinates[6+i][j] <== check_ec_equations.r_point[i][j]; + c_sha256.coordinates[8+i][j] <== check_ec_equations.hashed_to_curve_r[i][j]; } } @@ -115,11 +119,14 @@ template plume_v2(n, k, message_length) { signal input q1_x_mapped[4]; signal input q1_y_mapped[4]; + component pk_compressor = compress_ec_point(n, k); + pk_compressor.uncompressed <== pk; + component check_ec_equations = check_ec_equations(n, k, message_length); check_ec_equations.c <== c; check_ec_equations.s <== s; - check_ec_equations.pk <== pk; + check_ec_equations.pk_compressed <== pk_compressor.compressed; check_ec_equations.nullifier <== nullifier; check_ec_equations.plume_message <== plume_message; @@ -144,7 +151,7 @@ template check_ec_equations(n, k, message_length) { signal input c[k]; signal input s[k]; signal input plume_message[message_length]; - signal input pk[2][k]; + signal input pk_compressed[33]; signal input nullifier[2][k]; signal output r_point[2][k]; @@ -186,14 +193,10 @@ template check_ec_equations(n, k, message_length) { component hash_to_curve = HashToCurve(message_length + 33); for (var i = 0; i < message_length; i++) { hash_to_curve.msg[i] <== plume_message[i]; - } - - component pk_compressor = compress_ec_point(n, k); - - pk_compressor.uncompressed <== pk; + } for (var i = 0; i < 33; i++) { - hash_to_curve.msg[message_length + i] <== pk_compressor.compressed[i]; + hash_to_curve.msg[message_length + i] <== pk_compressed[i]; } // Input precalculated values into HashToCurve @@ -258,13 +261,14 @@ template a_div_b_pow_c(n, k) { } template sha256_12_coordinates(n, k) { - signal input coordinates[12][k]; + signal input pk_compressed[33]; + signal input coordinates[10][k]; signal input preimage_bit_length; signal output out[256]; // compress coordinates - component compressors[6]; - for (var i = 0; i < 6; i++) { + component compressors[5]; + for (var i = 0; i < 5; i++) { compressors[i] = compress_ec_point(n, k); compressors[i].uncompressed[0] <== coordinates[2*i]; compressors[i].uncompressed[1] <== coordinates[2*i + 1]; @@ -274,8 +278,13 @@ template sha256_12_coordinates(n, k) { component binary[6*33]; for (var i = 0; i < 6; i++) { // for each compressor for (var j = 0; j < 33; j++) { // for each byte + if (i == 1) { + binary[33*i + j] = Num2Bits(8); + binary[33*i + j].in <== pk_compressed[j]; + } else { binary[33*i + j] = Num2Bits(8); binary[33*i + j].in <== compressors[i].compressed[j]; + } } }