[FEAT] AES (T)OPRF in library

reclaimprotocol · Nov 21, 2024 · 9e9e815 · 9e9e815
1 parent d676b1a
commit 9e9e815
Show file tree

Hide file tree

Showing 33 changed files with 614 additions and 195 deletions.
diff --git a/gnark/circuits/aesV2/common.go → gnark/circuits/aesV2/aes.go b/gnark/circuits/aesV2/common.go → gnark/circuits/aesV2/aes.go
@@ -47,7 +47,8 @@ func NewAESGadget(api frontend.API, keySize int) AESGadget {
 	return AESGadget{api: api, sbox: sbox, RCon: RCon, t0: t0, t1: t1, t2: t2, t3: t3, keySize: keySize}
 }
 
-func (aes *AESWrapper) Define(api frontend.API, keySize int) error {
+func (aes *AESWrapper) Define(api frontend.API) error {
+	keySize := len(aes.Key)
 
 	if keySize != 16 && keySize != 32 {
 		return errors.New("key size must be 16 or 32")

diff --git a/gnark/circuits/aesV2/aes128.go b/gnark/circuits/aesV2/aes128.go
diff --git a/gnark/circuits/aesV2/aes128_test.go b/gnark/circuits/aesV2/aes128_test.go
@@ -38,14 +38,12 @@ func TestAES128(t *testing.T) {
 	nonceAssign := StrToIntSlice(Nonce, true)
 
 	// witness values preparation
-	assignment := AES128Wrapper{
-		AESWrapper{
-			Key:     make([]frontend.Variable, 16),
-			Counter: Counter,
-			Nonce:   [12]frontend.Variable{},
-			In:      [BLOCKS * 16]frontend.Variable{},
-			Out:     [BLOCKS * 16]frontend.Variable{},
-		},
+	assignment := AESWrapper{
+		Key:     make([]frontend.Variable, 16),
+		Counter: Counter,
+		Nonce:   [12]frontend.Variable{},
+		In:      [BLOCKS * 16]frontend.Variable{},
+		Out:     [BLOCKS * 16]frontend.Variable{},
 	}
 
 	// assign values here because required to use make in assignment
@@ -63,14 +61,12 @@ func TestAES128(t *testing.T) {
 		assignment.Nonce[i] = nonceAssign[i]
 	}
 
-	assert.CheckCircuit(&AES128Wrapper{
-		AESWrapper{
-			Key:     make([]frontend.Variable, 16),
-			Counter: Counter,
-			Nonce:   [12]frontend.Variable{},
-			In:      [BLOCKS * 16]frontend.Variable{},
-			Out:     [BLOCKS * 16]frontend.Variable{},
-		},
+	assert.CheckCircuit(&AESWrapper{
+		Key:     make([]frontend.Variable, 16),
+		Counter: Counter,
+		Nonce:   [12]frontend.Variable{},
+		In:      [BLOCKS * 16]frontend.Variable{},
+		Out:     [BLOCKS * 16]frontend.Variable{},
 	}, test.WithValidAssignment(&assignment))
 }
 
@@ -101,10 +97,8 @@ func mustHex(s string) []byte {
 func TestCompile(t *testing.T) {
 	curve := ecc.BN254.ScalarField()
 
-	witness := AES128Wrapper{
-		AESWrapper: AESWrapper{
-			Key: make([]frontend.Variable, 16),
-		},
+	witness := AESWrapper{
+		Key: make([]frontend.Variable, 16),
 	}
 
 	r1css, err := frontend.Compile(curve, r1cs.NewBuilder, &witness)

diff --git a/gnark/circuits/aesV2/aes256.go b/gnark/circuits/aesV2/aes256.go
diff --git a/gnark/circuits/aesV2/aes256_test.go b/gnark/circuits/aesV2/aes256_test.go
@@ -38,14 +38,12 @@ func TestAES256(t *testing.T) {
 	nonceAssign := StrToIntSlice(Nonce, true)
 
 	// witness values preparation
-	assignment := AES256Wrapper{
-		AESWrapper{
-			Key:     make([]frontend.Variable, 32),
-			Counter: Counter,
-			Nonce:   [12]frontend.Variable{},
-			In:      [BLOCKS * 16]frontend.Variable{},
-			Out:     [BLOCKS * 16]frontend.Variable{},
-		},
+	assignment := AESWrapper{
+		Key:     make([]frontend.Variable, 32),
+		Counter: Counter,
+		Nonce:   [12]frontend.Variable{},
+		In:      [BLOCKS * 16]frontend.Variable{},
+		Out:     [BLOCKS * 16]frontend.Variable{},
 	}
 
 	// assign values here because required to use make in assignment
@@ -63,24 +61,20 @@ func TestAES256(t *testing.T) {
 		assignment.Nonce[i] = nonceAssign[i]
 	}
 
-	assert.CheckCircuit(&AES256Wrapper{
-		AESWrapper{
-			Key:     make([]frontend.Variable, 32),
-			Counter: Counter,
-			Nonce:   [12]frontend.Variable{},
-			In:      [BLOCKS * 16]frontend.Variable{},
-			Out:     [BLOCKS * 16]frontend.Variable{},
-		},
+	assert.CheckCircuit(&AESWrapper{
+		Key:     make([]frontend.Variable, 32),
+		Counter: Counter,
+		Nonce:   [12]frontend.Variable{},
+		In:      [BLOCKS * 16]frontend.Variable{},
+		Out:     [BLOCKS * 16]frontend.Variable{},
 	}, test.WithValidAssignment(&assignment))
 }
 
 func TestCompile256(t *testing.T) {
 	curve := ecc.BN254.ScalarField()
 
-	witness := AES256Wrapper{
-		AESWrapper: AESWrapper{
-			Key: make([]frontend.Variable, 32),
-		},
+	witness := AESWrapper{
+		Key: make([]frontend.Variable, 32),
 	}
 
 	r1css, err := frontend.Compile(curve, r1cs.NewBuilder, &witness)

diff --git a/gnark/circuits/aesV2_oprf/common.go → gnark/circuits/aesV2_oprf/aes.go b/gnark/circuits/aesV2_oprf/common.go → gnark/circuits/aesV2_oprf/aes.go
@@ -34,7 +34,7 @@ type AESWrapper struct {
 	Nonce   [12]frontend.Variable              `gnark:",public"`
 	Counter frontend.Variable                  `gnark:",public"`
 	In      [BLOCKS * 16]frontend.Variable     `gnark:",public"`
-	Out     [BLOCKS * 16]frontend.Variable     `gnark:",public"`
+	Out     [BLOCKS * 16]frontend.Variable     // plaintext
 	Bitmask [BLOCKS * 16 * 8]frontend.Variable `gnark:",public"` // bit mask for bytes being hashed
 
 	// Length of "secret data" elements to be hashed. In bytes
@@ -72,11 +72,11 @@ func NewAESGadget(api frontend.API, keySize int) AESGadget {
 	return AESGadget{api: api, sbox: sbox, RCon: RCon, t0: t0, t1: t1, t2: t2, t3: t3, keySize: keySize}
 }
 
-func (aes *AESWrapper) Define(api frontend.API, keySize int) error {
+func (aes *AESWrapper) Define(api frontend.API) error {
 	counter := aes.Counter
 	var counterBlock [16]frontend.Variable
 
-	gAes := NewAESGadget(api, keySize)
+	gAes := NewAESGadget(api, len(aes.Key))
 
 	for i := 0; i < 12; i++ {
 		counterBlock[i] = aes.Nonce[i]

diff --git a/gnark/circuits/aesV2_oprf/aes128.go b/gnark/circuits/aesV2_oprf/aes128.go
diff --git a/gnark/circuits/aesV2_oprf/aes128_test.go b/gnark/circuits/aesV2_oprf/aes128_test.go
@@ -46,14 +46,12 @@ func TestAES128(t *testing.T) {
 
 	witness := createWitness(d, keyAssign, nonceAssign, Counter, ciphertext, plaintext, pos, len(secretBytes))
 
-	assert.CheckCircuit(&AES128Wrapper{
-		AESWrapper{
-			Key:     make([]frontend.Variable, 16),
-			Counter: Counter,
-			Nonce:   [12]frontend.Variable{},
-			In:      [BLOCKS * 16]frontend.Variable{},
-			Out:     [BLOCKS * 16]frontend.Variable{},
-		},
+	assert.CheckCircuit(&AESWrapper{
+		Key:     make([]frontend.Variable, 16),
+		Counter: Counter,
+		Nonce:   [12]frontend.Variable{},
+		In:      [BLOCKS * 16]frontend.Variable{},
+		Out:     [BLOCKS * 16]frontend.Variable{},
 	}, test.WithValidAssignment(&witness), test.WithCurves(ecc.BN254))
 
 	r1css, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &witness)
@@ -72,26 +70,23 @@ func mustHex(s string) []byte {
 	return b
 }
 
-func createWitness(d *toprf.TOPRFParams, bKey []uint8, bNonce []uint8, counter int, ciphertext []byte, plaintext []byte, pos, l int) AES128Wrapper {
-	witness := AES128Wrapper{
-
-		AESWrapper{
-			Key:     make([]frontend.Variable, 16),
-			Nonce:   [12]frontend.Variable{},
-			Counter: counter,
-			In:      [BLOCKS * 16]frontend.Variable{},
-			Out:     [BLOCKS * 16]frontend.Variable{},
-			Len:     l,
-			TOPRF: TOPRFData{
-				Mask:              d.Mask,
-				DomainSeparator:   d.DomainSeparator,
-				EvaluatedElements: d.Responses,
-				Coefficients:      d.Coefficients,
-				Output:            d.Output,
-				PublicKeys:        d.SharePublicKeys,
-				C:                 d.C,
-				R:                 d.R,
-			},
+func createWitness(d *toprf.TOPRFParams, bKey []uint8, bNonce []uint8, counter int, ciphertext []byte, plaintext []byte, pos, l int) AESWrapper {
+	witness := AESWrapper{
+		Key:     make([]frontend.Variable, 16),
+		Nonce:   [12]frontend.Variable{},
+		Counter: counter,
+		In:      [BLOCKS * 16]frontend.Variable{},
+		Out:     [BLOCKS * 16]frontend.Variable{},
+		Len:     l,
+		TOPRF: TOPRFData{
+			Mask:              d.Mask,
+			DomainSeparator:   d.DomainSeparator,
+			EvaluatedElements: d.Responses,
+			Coefficients:      d.Coefficients,
+			Output:            d.Output,
+			PublicKeys:        d.SharePublicKeys,
+			C:                 d.C,
+			R:                 d.R,
 		},
 	}
 

diff --git a/gnark/circuits/aesV2_oprf/aes256.go b/gnark/circuits/aesV2_oprf/aes256.go
diff --git a/gnark/circuits/aesV2_oprf/aes256_test.go b/gnark/circuits/aesV2_oprf/aes256_test.go
@@ -46,14 +46,12 @@ func TestAES256(t *testing.T) {
 
 	witness := createWitness256(d, keyAssign, nonceAssign, Counter, ciphertext, plaintext, pos, len(secretBytes))
 
-	assert.CheckCircuit(&AES256Wrapper{
-		AESWrapper{
-			Key:     make([]frontend.Variable, 32),
-			Counter: Counter,
-			Nonce:   [12]frontend.Variable{},
-			In:      [BLOCKS * 16]frontend.Variable{},
-			Out:     [BLOCKS * 16]frontend.Variable{},
-		},
+	assert.CheckCircuit(&AESWrapper{
+		Key:     make([]frontend.Variable, 32),
+		Counter: Counter,
+		Nonce:   [12]frontend.Variable{},
+		In:      [BLOCKS * 16]frontend.Variable{},
+		Out:     [BLOCKS * 16]frontend.Variable{},
 	}, test.WithValidAssignment(&witness), test.WithCurves(ecc.BN254))
 
 	r1css, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &witness)
@@ -64,26 +62,23 @@ func TestAES256(t *testing.T) {
 	fmt.Printf("constraints: %d\n", r1css.GetNbConstraints())
 }
 
-func createWitness256(d *toprf.TOPRFParams, bKey []uint8, bNonce []uint8, counter int, ciphertext []byte, plaintext []byte, pos, l int) AES256Wrapper {
-	witness := AES256Wrapper{
-
-		AESWrapper{
-			Key:     make([]frontend.Variable, 32),
-			Nonce:   [12]frontend.Variable{},
-			Counter: counter,
-			In:      [BLOCKS * 16]frontend.Variable{},
-			Out:     [BLOCKS * 16]frontend.Variable{},
-			Len:     l,
-			TOPRF: TOPRFData{
-				Mask:              d.Mask,
-				DomainSeparator:   d.DomainSeparator,
-				EvaluatedElements: d.Responses,
-				Coefficients:      d.Coefficients,
-				Output:            d.Output,
-				PublicKeys:        d.SharePublicKeys,
-				C:                 d.C,
-				R:                 d.R,
-			},
+func createWitness256(d *toprf.TOPRFParams, bKey []uint8, bNonce []uint8, counter int, ciphertext []byte, plaintext []byte, pos, l int) AESWrapper {
+	witness := AESWrapper{
+		Key:     make([]frontend.Variable, 32),
+		Nonce:   [12]frontend.Variable{},
+		Counter: counter,
+		In:      [BLOCKS * 16]frontend.Variable{},
+		Out:     [BLOCKS * 16]frontend.Variable{},
+		Len:     l,
+		TOPRF: TOPRFData{
+			Mask:              d.Mask,
+			DomainSeparator:   d.DomainSeparator,
+			EvaluatedElements: d.Responses,
+			Coefficients:      d.Coefficients,
+			Output:            d.Output,
+			PublicKeys:        d.SharePublicKeys,
+			C:                 d.C,
+			R:                 d.R,
 		},
 	}
 

diff --git a/gnark/keygen/keygen.go b/gnark/keygen/keygen.go
@@ -28,24 +28,12 @@ type algCircuit struct {
 }
 
 var algMappings = map[string]*algCircuit{
-	"chacha20": {"chacha20", &chachaV3.ChaChaCircuit{}},
-	"aes128": {"aes-128-ctr", &aes_v2.AES128Wrapper{
-		AESWrapper: aes_v2.AESWrapper{
-			Key: make([]frontend.Variable, 16)}}},
-	"aes256": {"aes-256-ctr", &aes_v2.AES256Wrapper{
-		AESWrapper: aes_v2.AESWrapper{
-			Key: make([]frontend.Variable, 32)}}},
+	"chacha20":      {"chacha20", &chachaV3.ChaChaCircuit{}},
+	"aes128":        {"aes-128-ctr", &aes_v2.AESWrapper{Key: make([]frontend.Variable, 16)}},
+	"aes256":        {"aes-256-ctr", &aes_v2.AESWrapper{Key: make([]frontend.Variable, 32)}},
 	"chacha20_oprf": {"chacha20-toprf", &chachaV3_oprf.ChachaTOPRFCircuit{TOPRF: chachaV3_oprf.TOPRFData{}}},
-	"aes128_oprf": {"aes-128-ctr-oprf", &aes_v2_oprf.AES128Wrapper{
-		AESWrapper: aes_v2_oprf.AESWrapper{
-			Key:   make([]frontend.Variable, 16),
-			TOPRF: aes_v2_oprf.TOPRFData{},
-		}}},
-	"aes256_oprf": {"aes-256-ctr-oprf", &aes_v2_oprf.AES256Wrapper{
-		AESWrapper: aes_v2_oprf.AESWrapper{
-			Key:   make([]frontend.Variable, 32),
-			TOPRF: aes_v2_oprf.TOPRFData{},
-		}}},
+	"aes128_oprf":   {"aes-128-ctr-toprf", &aes_v2_oprf.AESWrapper{Key: make([]frontend.Variable, 16), TOPRF: aes_v2_oprf.TOPRFData{}}},
+	"aes256_oprf":   {"aes-256-ctr-toprf", &aes_v2_oprf.AESWrapper{Key: make([]frontend.Variable, 32), TOPRF: aes_v2_oprf.TOPRFData{}}},
 }
 
 func main() {